Breaches to an organization through a third-party are not new or emerging. In 2015, Walmart had customer photos breached through their vendor. Similarly, in 2019, TransUnion had data taken when someone obtained credentials to a legitimate account and used it to obtain unauthorized information. Your organization, regardless of size, must take necessary, proactive steps to assess third-party risk adequately but to do so, it is important to first understand what to ask each third-party and how to validate the answers.

The primary source of obtaining this information is through a questionnaire which may also be taken to an audit if the answers received do not please the receiver (assuming the clause to audit is within the contract). At Packetlabs, we receive questionnaires from clients and potential regularly and they each range from 10 to 150 number of questions asked.

To start, you have to decide on whether you want each vendor to be assessed equally. This means the cleaners, the delivery company, and the financial services are all assessed with the same set of questions. If you don’t like that approach, you can decide to organize the third-party vendors into separate buckets depending on the information, or access they have to your organization.

How to assess

If you chose to split your third-party vendors, we have broken down the questions below into two categories, where one deals with access to data and the other deals with physical access to your premises only. If any third-party has access to both, you can combine the questions. The reason we choose not to break the data access, into whether it is sensitive or not, is to hold the third-party vendors accountable regardless of their service offering. These questions can be used as a baseline and enhanced upon as needed. The questions can be found immediately following the next section.

Grading the results

Once all answers have been obtained, you’ll need to grade the results and this can vary from organization to organization. Some answers only require a short answer, while others do not, which makes it different to properly weigh each question’s importance. Choosing the best option for you will come with experience and heavily depend on the thoroughness of your requirements. We’ve come across all different types of grading systems and have listed them below.

  1. A Simple Yes or No

This one is as simple as it gets. You count all of the answers and give a percentage grade. If 30/50 are sufficient, the vendor gets a 60%

  • Capability Maturity Model Integration (CMMI) uses four different grades that include incomplete, initial, managed and defined. More information on how to use it can be found at the CMMI Institute.
  • Weighted involves using weights for each question where one answer could have four times the weight than another to indicate its importance.

Questions: Physical Access

Rogue cleaners are becoming more frequent where individuals apply for cleaning positions are high-value organizations only to snoop and attempt to gain access to internal networks. If a third-party cleaner is used, you need to ensure the employees they deploy at your organization are trustworthy.

Question
Provide a list of individuals that will have access to our premises at [list addresses]
Have background checks been conducted on the individuals that have access to our premises?
Please provide proof of background checks for each. Provide frequency of background checks (e.g., once on hire, annual)
Can you please confirm the timeframe the cleaners will be at our premises for each location?

Questions: Data Access

The validation of the questions below will require an employee, or external party that has information security experience to validate. While some answers received may sound correct, a security trained individual may be able to weed out any answers that require additional information.

The questions below can be taken and advanced upon as required. Some of the questions are tailored to be specifically around your data to ensure the answers pertain to your data only.

DataPlease describe the company data you require from us to provide your service.
How do you encrypt customer data?
Describe how your organization decides who has access to our data.
Do you have capabilities to anonymize data (e.g., scrub customer data)?
Which groups of staff (individual contractors and full-time) have access to personal and sensitive data handed to you?
Do you keep sensitive data (as defined by your data classification matrix) in hard copy (e.g., paper copies)? If so, please describe.
Do you have a procedure for securely destroying hard copy sensitive data?
Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived or backed-up data?
Describe the circumstances in which customer data is allowed to leave your production systems?
Which of your vendors access our information?
Do these vendors contractually comply with your security standards for data processing?
Does sensitive or private data ever reside on endpoint devices? Please explain.
How do you limit data exfiltration from production endpoint devices?
Can employees access our data with their mobile devices?
Physical PremisesAre the office facilities and data centers used in providing services appropriately protected? Please describe.
Is physical access to buildings monitored (e.g., cameras, guards, motion sensors) logged and audited? Please describe.
Does a formal clear desk policy exist? Is it enforced?
Are systems and other hardware adequately protected from theft?
Are physical security mechanisms tested?
PolicyDo you have an internal password policy? Please attach.
Do you have complexity or length requirements for passwords?
How are passwords stored?
Do you have an information classification policy? Please attach.
Do employees have ability to remotely connect to your production systems? (e.g., VPN)
Are all employment candidates, contractors and involved third parties subject to background verification?
Is multi-factor authentication required for employees to log in to production systems?
Do you review your Information Security Policies at least once a year?
Do you have a dedicated information security team?
Do your information security and privacy policies align with industry standards (e.g., ISO 27000 series). Attach supporting documents.
Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?
Are all personnel required to sign Confidentiality Agreements to protect customer information, as a condition of employment?
Are all personnel required to sign an Acceptable Use Policy?
Vulnerability ManagementDo you do penetration testing on your environment? (e.g., web applications, external and internal infrastructure)
What is your timeframe for patching critical vulnerabilities?
What tools do you use for vulnerability management?
Are all endpoint laptops that connect directly to production networks centrally managed?
Do you keep an inventory of hardware and software assets?
Describe standard employee issued device security configuration/features. (e.g., Login Password, Anti-Malware, Full Disk Encryption, Administrative Privileges, Firewall, Auto-lock)
AlertingDo you have breach detection systems and/or anomaly detection with alerting?
Are all security events (e.g., authentication events, SSH session commands, privilege elevations) in production logged?
Is the production network segmented into different zones based on security levels?
How do you log and alert on relevant security events?
CryptographyAre all network traffic over public networks to the production infrastructure sent over cryptographically sound encrypted connections? (e.g., TLS, VPN, IPSEC). If there are plaintext connections, what is sent unencrypted?
What cryptographic frameworks are used to secure data in transit over public networks?
What cryptographic frameworks are used to secure data at rest?
What cryptographic frameworks are used to store passwords?
Security AwarenessDescribe your security awareness program for personnel.
How do you keep aware of potential security vulnerabilities and threats that may affect your service?
Incident ResponseDescribe or attach your Security Incident Response Program?
How is your Incident Response Plan tested? Include cadence.
Do you have a formal service level agreement (SLA) for incident response?
Do you have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems? What are your SLAs for notification?
Software DevelopmentDo you do static code analysis?
How do you ensure code is being developed securely?
How do you train developers in SSDLC / Secure Coding Practices?
Do you maintain a bill of materials for third party libraries or code in your service?
How do you monitor vulnerabilities in dependencies?
Do you outsource development?
AuditHow do you regularly audit your critical vendors?
How do you conduct internal audits (audits lead by your personnel) of the service? Please describe the scope, remediation process and frequency of audits.
How do you conduct external (third-party) audits of the service? Please describe the scope and frequency of audits.
Please provide a copy of the most recent report.
Which IT operational, security, privacy related standards, certifications and/or regulations do you comply with? Please provide a copy of the most recent certifications.
BackupIs there a formally documented Business Continuity Plan and Disaster Recovery Plan? If yes, please provide a copy of the documented plan.
Are backups sent to a secure off-site facility on a regular basis? Do you have access to the site?
Has the DR plan been tested? How frequently? Does it include restoration of data from backups? Please describe in the additional information column.

If your organization is looking to have third-party vendors assessed with a questionnaire or a penetration test, please contact us for details on how Packetlabs can assist you.