Sunday, September 17, 2017

Your Third-Party Security Review Process is a Mess

Regardless of the control framework and / or process you utilize, most third-party review processes are poorly designed & inefficient.

On top of that, most orgs ask their vendors to maintain a level of security that said orgs cant follow themselves.

Amidst the Equifax breach, orgs will look to insert more vigor into their third-party review process, though few if any continuously monitor the security of their business ecosystem.

Instead of spending cycles completing matrices / spreadsheets, firms should invest in the following:


  • A vulnerability scan / penetration test (of limited scope) before any legal documents are executed.
    • An agreed upon remediation plan should be agreed upon too.
  • A continuous monitoring / assessment agreement to ensure governance during the course of the contractual agreement.
  • Recurring audits / spot checks on the security governance established / expected.

No comments:

Post a Comment