SecureState Blog

Read SecureState's award winning blog.

Addressing Vendor Risk in Response to the Target Breach

A little more than a month after Target announced it suffered one of the largest data breaches in history, we now know that stolen vendor credentials were the keys to the kingdom.

TargetHeadlineSo what does this mean for Target and other businesses who rely on vendors to conduct business? Simply, it means that security does not stop where your walls do. Every vendor with some level of access to your data has the potential to be the source of your next breach, and must be vetted accordingly.


Where to Begin

If you’re a Fortune 500 corporation, retailer, financial services firm or healthcare organization, then you need to monitor the security of your vendors. This is often a difficult process that includes:

1. An initial set of scoping questions sent to determine the vendor’s potential risk; typically based on data and network access.

2. A spreadsheet full of more detailed questions that is then sent to the vendor.

3. The vendor supplies their responses, and potentially a SAS70, SOC2, ISO 27001, or other document of their security program.

4. A small portion of these responses are then reviewed.

SecureState is no stranger to this dilemma. We’ve developed vendor assessment programs, as well as assisted clients in responding to security questions. The problem with this is that many of these vendors haven’t undergone this scrutiny before and are typically unprepared for the onslaught of obtusely worded questions provided on a client’s lengthy spreadsheet. If there is no employee tasked with Information Security, then there is no one that speaks the same language as the questions being posed. It’s unclear to both the client and the vendor which security controls are actually in place, and which truly are gaps.


Approaching the Problem

The best approach that we have found is to get security experts engaged on both sides. This means that clients and vendors both need to either hire their own security experts to engage in this process, or contract a 3rd party security expert to engage on their behalf.

Getting both parties on the same page is a good first step. For organizations seeking security information, tracking who has gotten a questionnaire, who has responded, and if all questions got a response is the next task that can become quite overwhelming. Actually analyzing the answers and trying to identify vendors which may pose a great risk is even more difficult.


Automate and Assess

Automating vendor management through a process flow will greatly help you tacklevendor-mang-flowthis problem and quickly identify which vendors pose the greatest risk to your organization. In an upcoming blog, we will analyze the details of how organizations can do this with minimal time and resources.

In the meantime, another important component to managing vendor security is knowing where your data lies. For more information on this topic, download our whitepaper: “Who’s Got Your Data? Managing Vendor Risk


    1 year ago 

    “This is often a difficult process that includes:”

    #1 should be:

    “Convincing the business process owner and other management that this is mandatory even though it can significantly reduce the savings they thought they were getting by throwing the work and management of it over the fence.”

    Any tips on that subject would be of value to just about everyone.