Third-party Risk Assessment - CompTIA Security+ SY0-701 - 5.3

00:01

Every organization works with vendors of some kind.

00:05

These might be an organization that provides payroll services.

00:08

You might have a separate email marketing service that you use.

00:11

You might have a travel department that's

00:13

external to your company or maybe

00:15

you just purchase all of your raw materials

00:17

from a third party.

00:18

With all of these relationships, some part of the company's data

00:23

is shared with that third party.

00:25

Some of this data may be relatively unimportant.

00:27

But if you're sharing information

00:29

with a payroll company, you're giving

00:31

a lot of your company's information

00:33

into the hands of a third party.

00:35

For that reason, it's always a good idea

00:37

to perform a risk analysis of the third party

00:40

to know exactly what's happening with your data

00:43

and how they're protecting the information that you're

00:45

providing to them.

00:47

Because you're working with a party that

00:48

is external to your company, it's

00:50

always a good idea to put the risk assessment

00:53

information into the contract that you

00:55

have with that organization.

00:57

This ensures that everyone understands the expectations

01:00

for this risk assessment.

01:01

And it also sets penalties if any part of that agreement

01:05

breached.

01:07

One common type of risk assessment

01:09

is penetration testing.

01:10

This is very similar to performing a vulnerability

01:13

scan, except we're trying to actively exploit

01:16

the vulnerabilities that might exist in an operating

01:18

system or an application.

01:20

This might be a requirement you set internally to your company,

01:24

or it might be a mandate that is written

01:26

into the contract between you and a third party.

01:29

For example, this could require that yourself

01:31

and the third party execute penetration tests

01:34

over a standard interval of time.

01:36

And this might involve a third party company that specializes

01:40

in penetration testing.

01:42

That way, you and your vendor are both using this third party

01:46

to create reports showing what type of security is in place

01:50

and how well that security is working.

01:53

Most penetration tests also include a document

01:56

called the rules of engagement.

01:58

This sets the parameters so that everybody understands

02:01

the scope of the test and exactly what devices

02:04

will be tested.

02:05

For example, the rules of engagement

02:07

might say that this is an on-site physical breach test.

02:10

So someone will be attempting to gain access to your facility.

02:13

Or it might be a test that's handled internally

02:16

inside of your company.

02:18

Or it might be a test that's done across the internet

02:20

to simulate someone who's on the outside.

02:23

We can also set parameters around when

02:25

the test will occur.

02:26

This might be on a particular date and time.

02:29

Or you may specify that it's only

02:31

to take place during normal working hours or perhaps only

02:34

after working hours are over.

02:36

And most rules of engagement will

02:38

include information such as the IP address ranges

02:41

that will be tested, any emergency contacts, which

02:44

may be very important if something

02:45

goes wrong during the test.

02:47

You might also want to specify how the third party should

02:50

handle any sensitive information that they

02:52

might happen to come across during this penetration test.

02:55

And you may set specific parameters

02:57

around which devices are in scope during the test

03:01

and which devices are out of scope

03:03

and should not be touched during this process.

03:06

When you're working in partnership with a third party

03:09

vendor, you're commonly going to share some type of data

03:12

between the organizations.

03:14

This is especially true if you use a third party for payroll

03:18

or some other type of third party service

03:20

or if you're outsourcing part of your organization's functions

03:23

to a third party.

03:24

It may be that this third party is holding and managing all

03:28

of the data in their facility.

03:30

Or it may be something like an internet provider, where

03:32

all of your internet traffic traverses that company's links.

03:36

For those reasons, it might be a good idea

03:38

to perform regular audits to ensure

03:40

that all of their security is up to date and working

03:43

as expected.

03:45

Normally, we would integrate this requirement

03:47

into the contract itself into a clause called the right

03:50

to audit.

03:51

This means that everyone understands

03:53

that regular audits will occur.

03:55

And this might even set parameters for that audit

03:58

and how they can be handled.

03:59

This allows both sides to understand

04:01

what type of security controls are in place

04:04

and how those controls are used to protect the company's

04:06

information.

04:08

In many cases, neither yourself nor the vendors

04:11

you're working with are the ones performing the audit.

04:14

It's very common to have a third party come in

04:17

and perform the audit as someone who's

04:19

outside the scope of the contract.

04:21

Sometimes, these audits are required

04:23

based on the type of data that's stored.

04:25

And it may be part of your company's compliance

04:27

to make sure that an audit occurs.

04:29

But even if there isn't a specific compliance need,

04:32

it's always a good idea to perform regular audits.

04:36

From a security perspective, these audits

04:38

are focusing on all of the security controls

04:40

surrounding the relationship between yourself

04:43

and your vendors.

04:44

For example, you may want to look

04:46

into access management, any offboarding

04:48

processes and procedures, what type of security

04:51

is associated with passwords?

04:53

And how are those passwords stored?

04:55

And what type of controls are in place to allow or disallow

04:58

access to the VPN?

05:00

There are almost always opportunities

05:02

to improve the security controls that are in place.

05:04

And once you perform an audit, you'll

05:06

have documentation that shows exactly what security

05:09

controls might be improved to provide additional security.

05:13

And most vendor relationships are

05:15

going to be over an extended period of time.

05:17

So you want to not only perform a single audit,

05:20

but you'll want to have continued audits perhaps

05:23

occurring at regular intervals.

05:26

The supply chain describes the entire process

05:28

that occurs from the beginning with the raw materials

05:32

all the way until a final product is created.

05:34

And there are security concerns that

05:36

take place through every step of the supply chain process.

05:40

This is why it's often a good idea to perform a supply chain

05:43

analysis.

05:44

This will give you a chance to understand

05:46

the entire process and where security concerns may lie.

05:50

There are a number of different steps

05:52

that you can follow to understand how the security

05:55

might be for your supply chain.

05:56

You might want to start with understanding

05:58

how we get a product or service from the vendor

06:01

to the customer.

06:02

We could also evaluate how different groups are

06:05

coordinated between both of the organizations

06:08

and understand where there might be areas where you

06:11

can improve that communication.

06:12

At the technical level, you'll want

06:14

to understand how the security is handled between the two

06:17

teams at your organization and the third party vendor.

06:20

And you'll want to document any changes

06:22

to the business process that occur between yourself

06:25

and the vendor.

06:26

The security concerns for the supply chain are very real.

06:29

A good example of this occurred between March and June of 2020

06:34

when a software update from a third party

06:36

installed malware into all of their customers' networks.

06:40

This was announced in December, 2020 by the company SolarWinds.

06:45

An attacker was able to breach the SolarWinds network,

06:48

install malware into the code of the product,

06:51

and then SolarWinds deployed that malware update

06:54

with a valid SolarWinds digital signature.

06:58

This update was installed into some of the largest

07:00

networks in the world.

07:01

And it's estimated that out of the 300,000 customers that

07:05

could have been impacted by this, at least 18,000 of them

07:09

had this malware installed as part of this update.

07:12

It's now very possible that the 300,000 customers are now

07:16

reevaluating the process they use for supply chain analysis.

07:21

When you're working for an organization,

07:22

your scope tends to be very focused

07:24

on the processes and procedures for that single organization.

07:28

For that reason, it might be valuable to bring

07:31

in someone from the outside who has a different perspective.

07:34

These independent assessments might provide you

07:37

with a different perspective that you're not

07:39

able to get from inside of your own organization.

07:42

If you find a knowledgeable third party

07:44

to perform these assessments, they

07:46

can provide you with interesting insights

07:48

that they're able to gather across

07:50

many different organizations.

07:52

And that broad scope of understanding

07:54

may provide you with an increased level of security

07:57

for your organization.

07:58

And if you're bringing in a knowledgeable third party,

08:01

you may be able to receive insights into your security

08:04

that you simply weren't considering.

08:06

Before bringing a third party organization into your company,

08:10

you may hear other people mention that they're

08:12

performing due diligence.

08:14

This describes the process of investigating and getting

08:17

more information about a company before you decide

08:20

to do business with them.

08:21

This might involve investigating and verifying information

08:24

that the company has provided.

08:26

For example, they might say that they've

08:27

made a certain amount of money over the last few years,

08:30

and they have a certain number of customers.

08:32

This might also include background checks or interviews

08:35

with individuals in that third party organization.

08:38

It's very important when working with a third party

08:41

that you maintain a business relationship.

08:43

But there are times when there might

08:45

be a conflict of interest.

08:47

This means that there is something

08:49

that might compromise the judgment on either side

08:52

of the business relationship.

08:54

For example, you may find out that a potential third party

08:57

that you would like to work with is also doing business

09:00

with your largest competitor.

09:02

Or you might find out that this third party

09:04

company employs a relative of one of your executives.

09:07

And another conflict of interest might be that the third party

09:10

company is offering gifts if the contract between the two

09:14

organizations is signed.

09:16

All of these situations are clear conflicts of interest.

09:19

And it may prevent the two companies

09:21

from doing business with each other.

09:23

Once the contract is signed, the work is really just beginning.

09:26

Not only are you entering to a business relationship

09:29

with this third party, you'll also

09:31

want to have continued monitoring of the relationship

09:34

between the two companies, especially from the perspective

09:37

of IT security.

09:39

It's very common to have these monitoring processes occur

09:42

rather frequently so you can perform financial health

09:45

checks, perform IT security reviews,

09:48

and it might be a good idea to monitor the news

09:50

to see what type of articles or social media posts

09:54

might be associated with this partner.

09:57

A company will often have relationships

09:58

with many third parties.

10:00

And the monitoring that you perform

10:02

with each of those companies may be slightly different.

10:05

It might be useful to have both quantitative and qualitative

10:08

monitoring for all of your vendors.

10:10

This often means that there is an individual or group

10:14

of individuals within your organization

10:16

that are responsible for the relationship

10:18

between your company and the third party.

10:20

And this group within your company

10:22

would therefore be responsible for performing the vendor

10:26

monitoring.

10:27

One very common way to perform this vendor monitoring

10:30

is to send over a questionnaire to the third party.

10:32

This questionnaire is a relatively simple way

10:35

to find out more information about the way the vendor does

10:38

business.

10:38

For example, you may want to know

10:40

what the vendors due diligence process looks like

10:43

and what they do to prevent any type of conflicts.

10:46

Or perhaps you want to know what plans the vendor might

10:48

have for disaster recovery.

10:50

If something happens to the vendors facility,

10:53

how will they stay up and running

10:54

to be able to support you?

10:56

At a technical level, you might want

10:58

to know what type of storage method

11:00

is used to store your data and how is that data protected.

11:03

All of these questionnaires can help you understand more

11:06

about the security at that vendor site

11:09

and may allow you to recommend or change some of the ways

11:12

those processes and procedures are handled in the future.

11:15

The answers you receive from that third party

11:17

are integrated into the risk analysis for that vendor.

11:21

And they are constantly updated throughout the relationship

11:24

with that third party.