Make Sure Your Vendors and Partners aren’t a Security Risk with Third-Party Security & Compliance Audits

Nazy Fouladirad is President and COO of Tevora, a leading global cybersecurity consultancy, and a CMS Critic contributor.

Most organizations today are increasingly dependent on more than just their internal teams and on-premise solutions to drive their businesses forward. The growing popularity of cloud platforms and "as-a-service" models across various industries has also led to a significant increase in organizations partnering with third-party providers.

However, while collaborating with multiple external vendors and service providers can help organizations expand, it can also introduce new risks. Given the rise in cybercrime and strict regulatory standards today, the need to have a mature third-party risk management program is essential to ensure their data is secure, especially when handled by those outside the company.

Recognizing the Risks of Third-Party Vendors

Establishing strong business partnerships is an important component of business growth. Whether hiring an outside marketing firm to drive brand awareness or working with a managed services provider to outsource IT and cybersecurity, the right partnerships help businesses operate more efficiently. However, it's important to be aware of certain risks associated with extending your operations outside your organization.

When vendors require access to confidential business information to offer their services, the duty to protect that data starts moving beyond the company's immediate reach. Without due diligence, this can pose significant security challenges, particularly if your partners aren't upholding the safety standards your business adheres to. 

While most service providers are obligated by data protection laws and regulations to protect sensitive client information, the reality is that not all companies are equally secure. Besides the financial risk associated with a major business disruption across connected services, businesses may also face significant fines and penalties if they fail to maintain regulated compliance standards that govern their specific industry.

What are Third-Party Security & Compliance Audits?

For organizations that need to have more transparency regarding potential security risks that may be present with a third party, security risk and compliance audits are essential. A third-party security and compliance audit or assessment is a methodical review process handled by outside risk management experts to thoroughly vet the security standards of any business partnership.

Depending on the industry your organization operates in, there are a variety of different assessments or audits that can be used to identify any areas of concern.

For example, a SOC 2 attestation, sometimes referred to as a SOC audit or SOC certification (which is technically incorrect), is often used to benchmark internal control frameworks in the following Trust Criteria:

• Security
• Privacy
• Confidentiality
• Availability
• Process Integrity

These attestation reports are the opinion of a CPA firm and identify an opinion of conformity against the selected Trust Criteria. It is important to note that not all SOC 2 reports test all five Trust Services Criteria, as it depends on scope. This is similar but holds a bit less rigor than an ISO 27001 audit, which checks that systems and processes align with the framework established by the International Organization for Standardization.

FedRAMP High Authorization, used for assessing Cloud Service Providers performing critical and essential services for Government Agencies, has over 400 controls and is even more rigorous than the ISO 27001 certification.

To streamline third-party vendor assessments, some may use SOC 2, ISO 27001, HITRUST, or FedRAMPas alternative evidence for vetting vendors rather than conducting one-off assessments.

Steps to Executing Third-Party Security & Compliance Audits

Conducting a third-party compliance audit is often left to risk management specialists due to the complexity of the process. While every audit can be different depending on the depth and scale of the partnership, most external audits will follow a similar formula.

Below are the typical steps used when executing third-party security and compliance audits:

1. Identify All of Your Partnerships

Thoroughly evaluating the business's active partnerships is the first step before performing any type of third-party audit. Oftentimes, businesses may be primarily concerned with only one or two active partnerships they rely on regularly. 

However, having a completely transparent understanding of your complete risk profile requires identifying each and every vendor you engage with. This could be a supplier of physical goods, logistics companies that you currently contract, SaaS (Software-as-a-Service) providers, or a company where this is a direct change of company information.

2. Tier Your Vendors

Not all vendors are created equal. The most important vendors are those that you share the most sensitive data with, have access to your networks, host or build applications, have physical access to your facilities, or can interrupt your key business processes. These vendors are often referred to as Tier 1 vendors. 

Other vendors you may rely on but are not as critical can be considered Tier 2. Vendors that do not provide essential services – such as a coffee supply vendor or shipping provider – may be considered a Tier 3 vendor.  

For Tier 3 vendors, just knowing that they are accounted for and have been identified as a Tier 3 vendor is all that is required. 

3. Build a Plan for Vendor Assessments by Tier

Working with a trained risk assessment professional, you should define the assessment, process, depth, and acceptable alternative evidence allowed for each tier of vendor.  By organizing your assessment process by Vendor Tier, you'll be able to narrow down the focus of your audits to the areas that are most critical for the services provided.

Part of building a successful vendor assessment plan should start with the alignment of your company’s existing security framework to your Vendor assessment model (ISO 27000 series, NIST 800 series, HITRUST Certification, or FedRAMP/StateRAMP). Typically, more mature vendors will have their own security programs developed and backed by one of these frameworks. Having the ability to crosswalk between the frameworks can help show how your company’s security controls are implemented through outsourcing to these vendors. 

A tool commonly used within the Third Party Vendor Management space is the Standardized Information Gathering (SIG) Questionnaire, which helps map controls to various frameworks. The SIG Questionnaire has over 1000 controls, whereas the SIG Lite contains about 200 controls. Many Vendors will have a SIG or SIG Lite available for review during the third-party assessment process and this can be an effective way of getting standardized information from your vendors. 

4. Notify Your Vendors

While certain portions of a third-party risk assessment can be managed without the direct involvement of your vendors and with the use of various monitoring tools, their participation is essential to complete an assessment. 

Many companies will make assessment requirements part of their new vendor onboarding process to ensure that all parties are aware of the potential for assessment before or during the length of the partnership. In any event, it's important to clearly lay out any requirements your business may have when it comes to completing assessments to ensure vendors are aware and willing to comply.

5. Define Scope of Engagement

Some assessments are much more comprehensive than others. In all situations, though, it's important to define the scope of engagement that will be required for each vendor. This is another area where understanding your risk categories will help, as it will assist in prioritizing engagement in the right areas and with the right teams. 

Doing so helps to avoid your vendors becoming overwhelmed with requests for information that could potentially cause strain on the relationship.

6. Complete the Review and Identify Areas of Improvement

After gathering the required information, your risk management team can produce a detailed review of potential areas of concern. Given the thoroughness of the data collected, some areas might need additional exploration to guarantee the review's accuracy and to ensure the insights provided are easy to understand and actionable.

Don't Let Your Third-Party Risk Catch You Off Guard

While your organization might prioritize and invest in proper security measures, not all vendors necessarily share that commitment. However, collaborating with skilled risk management experts can help confirm that all your partnerships value security and risk mitigation as much as you and your clients do.

Upcoming conferences

CMS Connect 24

August 6-7, 2024 – Montreal, Canada

We are delighted to present our first annual summer edition of our prestigious international conference dedicated to the global content management community. Join us this August in Montreal, Canada, for a vendor-neutral conference focused on CMS. Tired of impersonal and overwhelming gatherings? Picture this event as a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities.

CMS Kickoff 25

January 14-15, 2025 – Tampa Bay Area, Florida

Join us next January in the Tampa Bay area of Florida for the third annual CMS Kickoff – the industry's premier global event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, so secure your tickets today.