Security Risk Assessment of Your Vendors and Yourself - Part 2

 
 

In my previous article, I wrote about how organizations should be assessing the security controls in their third-party vendors' environments. Yet, in today's day and age, many companies are both consumers and suppliers -- i.e. vendees as well as vendors. As a vendor or provider that has access to other organizations’ data, we may be the ones that need to provide our clients with verification of our security controls. If you're at a wealthy firm that performs annual SOC1 and SOC2 audits, then you're providing your clients with these reports. Just to clarify, I'm not talking about providing the audit reports from your datacenter provider. Those aren't sufficient. I'm talking about audits of your own operational processes, which a lot of organizations can't afford to do each year. If you're not one of the well-funded shops then you're handling this verification the manual way—over and over again by taking system screenshots and sanitizing each one such that it only show's that client's info and redacts non-public and info about other clients. 

Repeatedly providing evidence of your security controls can feel mind-numbing. Unless you think that Sisyphus was having fun rolling his boulder, you can probably relate to the tedium of these audits. In my previous article, I wrote about a perfect solution for third-party vendor risk assessments by DatumSec (www.datumsec.com). The great part about their Vendor Assessment Program, is that you can also use it for self-assessment. In addition to using it to assess your vendors, you can also use it to provide your clients with verifications of your own security controls. Plus, you can provide all your clients the same assessment information simultaneously; weeks of repetitive work can be done in an automated manner all at once.

So, what is it that the DatumSec tool actually assesses? It assesses all in-scope systems against security benchmarks from CIS and USGCB. This includes policy settings, such as ensuring complex passwords, verification of antivirus software installation and use of a local firewall. It also assesses un-patched system vulnerabilities against OVAL and MBSA databases. You may have a system that regularly pushes out security patches to your endpoints, but how do you verify that the patches installed successfully? What if some critical patches fail to install—how would you determine this? Likewise, you may have a group policy that enables client firewalls, but what if the firewall fails to enable on some endpoints?

These are just some of the critical security controls for which you will gain visibility using DatumSec’s Vendor Assessment Program. Not only does this solution make it easy to provide your clients the validation they want, it also gives you valuable information about how well your security program is working. Finding out where you're exposed and being able to fix it raises your security posture and brings peace of mind.

Currently, this endpoint assessment works on Windows and MAC systems. The existing data collection is even extensible (using SCAP format like XCCDF and OVAL), whereby additional verifications can be added to your portal. For instance, DatumSec did this in order to include verification of Bit9 (Carbon Black) agents for an organization that was looking to validate these installations on their endpoints. Overall, I've been very impressed with DatumSec, one of our new Southern California technology startups operating out of Pasadena. They created an incredibly easy to use, comprehensive, third-party vendor assessment solution. This is such a critical need for organizations that use vendors; most should find the offering to be a great value.


Gary Landau

Gary Landau has been leading IT and information security teams for over 25 years as part of startups as well as large global organizations. He is passionate about continuously improving system reliability performance and security. Mr. Landau has an MS in Computer Science, numerous technical certifications such as CISSP and CCNP, and is one of the founding board members and past President of the LA chapter of the Cloud Security Alliance.

More about Gary