Thursday, September 10, 2020

Vendor (Security) Reviews are not Solution Security Reviews

 A vendor's (security/privacy) holistic governance is not the same as the security/privacy posture of the solution a larger organization is looking to procure.

The reality is that many startups/SMBs have solutions that are (considerably) different, from a cyber perspective, then their general posture.  Many (startup/SMB solutions) are based/hosted with cloud service providers (CSPs), and.therefore, require a separate level of review.

Third-party risk management (TPRM) processes and teams are prevalent in corporate organizations; however, experience shows a generic coupling of the solution with the vendor that seems inadequate.

So, it is advocated that larger organizations focus on high-level governance for the vendor-at-large, coupled with low-level verification of the solution at hand. 

How is this accomplished?  Well, focus on control frameworks (NIST, ISO, SIG, HITRUST, ISF, COBIT) for the vendor, coupled with specific deep-dives on the solution at large.  Deep-dives should include recent vulnerability scans/penetration tests/risk assessments of the specific solution from an objective third-party, with a control mapping of said solution back to organizational governance, as well as benchmarks against CSP well-architected frameworks (that are prevalent these days). 

 

No comments:

Post a Comment