Third-party security assessments: applying SABSA

Organisations around the world are increasingly relying on third-party vendors to provide them with competitive advantage. Many companies in a race to optimise processes and reduce costs begin to outsource core functions. This leads to increased risk profile and new challenges of supplier oversight.

Dealing with third-parties has grown bigger than being just a procurement issue. Suppliers companies increasingly rely on, pose not only legal but also reputational risks that cannot be fully transferred. Security and privacy related incidents related to third-party providers are presenting new management challenges. Moreover, regulators are increasingly demanding the management of the third-party risk.

Suppliers, however, have their own challenges. Constant squeeze on costs from their clients reduces the profit margins making it increasingly difficult for vendors to prioritise security requirements implementation.

How do we make sure the suppliers we work with are trustworthy? How do we minimise the risk exposure from a potential incident? What level of assurance is required for a supplier?

These are the questions I’m going to answer in this blog.

Understanding business drivers and goals is essential for developing a third-party risk management approach. By analysing company’s corporate strategy I was able to derive multiple business attributes relevant to the shareholders. One of them stands out: Trusted. I’m going to disregard other attributes and focus on this one for the purposes of this case study. Not only it is important for the company to be trusted by its customers, but trustworthiness is also something I’m going to explore in this blog from the third-party relationship standpoint.

After a workshop with the CIO and IT managers in various business units, I’ve defined the following IT attributes supporting the main business attribute (Trusted): Transparent, Assured and Managed.

How does the security function support the wider IT objectives and corresponding attributes? After a number of workshops and analysing the security strategy document I’ve managed to create a number of security attributes. Below is a simplified example correlating to the business and IT attributes in scope:

1

Dealing with customers and managing relationships with them is one of the core activities of the company.  As discussed above, being trusted by the customers is one of the main values of the organisation. IT department through the implementation of their technology strategy supported the business stakeholders in Sales and Marketing to outsource customer relationship management platform to a third party provider. A cloud-based solution has been chosen to fulfill this requirement.

A combination of attribute profiling, trust modelling and risk analysis is used to assess the degree of assurance required and compare third-party providers. Below is a recommended approach based on the attributes defined.

2

Security attributes mapping

Based on the internal security policy the following questionnaire has been developed to assess the supplier. Responses from the supplier have been omitted to preserve confidentiality. Below is a short excerpt from one of the sections of the questionnaire related to cloud services.

Are terms of services and liabilities clearly defined in service agreements? Governed
Are escrow arrangements in supplier contract agreement and cloud service agreements registered with procurement and documented in cloud service register. Identified
Are physical security and environmental controls present in the data centre that contains company data? Integrated
Are procedures for user authentication, authorization and access termination documented? Access-Controlled
Has the Business Continuity Plan been reviewed and approved by the executive management? Governed
How often is the Business Continuity Plans and Disaster Recovery Plans tested? Available
Is there a specific Recovery Time Objective(s) (RTO) and Recovery Point Objective(s) (RPO)? If yes, specify the RTO and RPO for the company services. Available
Are default settings customized to implement strong encryption for authentication and transmission? Access-Controlled

Attribute compliance is assessed based on the questionnaire answers, as every question is mapped to a specific attribute. Where a specific combination of an attribute corresponds to multiple questions, all answers are rated separately then an average rating for that attribute weight is calculated. Exceptions apply where certain specific questions are identified to have priority (higher level of impact on attribute compliance) over the other questions mapped to the same attribute. Expert judgement is applied to analyse such situations.

Attributes are evaluated with three main levels:

  • High level of compliance with policy (Green),
  • Medium level of compliance with policy (Amber),
  • Low level of compliance with policy (Red)

3

 

Advertisements

Security Programme Maturity Assessment

ID-100265678

When there is a need to quickly determine where a company is standing in terms of the maturity of its security programme, I developed the below questionnaire which can be useful in this endeavour.

Question Status Comments Evidence
1. Information security policy
1.1 Is there an information security policy that is appropriate to the purpose of the organisation, gives a framework for setting objectives, and demonstrates commitment to meeting requirements and for continual improvement?
1.2 Is the policy documented and communicated to employees within the organisation and available to interested parties, as appropriate?
1.3 Is there an established ISMS policy that is ensuring the integration of the information security management system requirements into the organisation’s processes?
2. Information security risk assessment and treatment
2.1 Has an information security risk assessment process been defined and applied?
2.2 Is there an information security risk treatment process to select appropriate risk treatment options for the results of the information security risk assessment, and are controls determined to implement the risk treatment option chosen?
3. Planning and measuring
3.1 Are measurable information security objectives and targets established, documented and communicated throughout the organisation?
3.2 Does the organisation determine what needs to be done, when and by whom, in setting its objectives?
4 Internal audit
4.1 Does the organisation conduct internal audits at planned intervals to provide information on whether the information security management system conforms to requirements?
5. Management review
5.1 Does the leadership undertake a periodic review of the information security processes and controls, and ISMS?
6. Corrective action and continual improvement
6.1 Does the organisation react to the nonconformity and continually improve the suitability, adequacy and effectiveness of the information security management system?
7. Legal compliance
7.1 What security laws and data protection legislation apply to the organisation?

Download the full Questionnaire (with instructions)

Image courtesy Pong / FreeDigitalPhotos.net