Management, compliance & auditing

Top 5 Questions to Ask Your Vendors about Their Security Policies

Irfan Shakeel
August 30, 2017 by
Irfan Shakeel

Cyber security is one of the most critical issues the U.S. faces today. The threats are real, and the need is pressing. The cyber security status is unstable, especially considering the enormous and growing scope of the threats. Thus, cyberspace’s dynamic nature must be acknowledged and addressed by policies that are equally adaptive.

As many breaches have happened previously via targeting vendors first, there is a need to address cyber threats associated with the vendors. Evaluating a vendor’s security policies is one possible way to assure data security at their end. A security policy is the company’s best defense against a possible breach. It helps restore a network and information if a breach has happened.

Having a security policy is a must for any organization to manage business risks through defined controls that provide a benchmark for audit and corrective action. Moreover, it also helps an organization define what should be done in the event that users abuse the network, or in case of a network outage due to a natural disaster or an attack on the network.

The breach at Target Corp. that exposed credit card and personal data of more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer. Moreover, the details of more than 70 million customers of the food-to-clothes chain were compromised, including the accounts of about 40 million credit card holders, snatched by a criminal who entered the system using access granted to a refrigeration and air conditioning supplier.

With so many breaches worldwide, regardless of industry, organizations are moving towards adopting security services to secure their communication and data. However, finding the best and secure vendor is hard nowadays. To make sure that your company stays ahead of the threat, consider the following security questions to ask your vendors.

Have you achieved any data protection standards?

There are security standards that a company should follow to meet the market competition. Whether your organization prefers certification from ISO 27001, SSAE16 or Safe Harbor, those security standards are doubly important for your vendors to obtain as you have less control over entities outside of your company, and ostensibly, the data you share with those vendors.

Certification and implementation of ISO 27001 and other standards that are defined by the vendors provide the company a strategic information security framework that can help win business and educate staff on protecting valuable data.

How do you assess employees' security understanding?

This question will help you get an idea of how seriously your employees take security. If they answer with a detailed and established process of their security awareness program, then it’s good to go. If not, be reminded that human error accounts for nearly all major security breaches.

A vendor that does not provide enough reliable security awareness training is not worth your time to ask further questions. Drop that vendor and look for another.

Do you separate customer data from the main infrastructure?

If your vendors are giving you detailed information about their practices, such as their methods of encrypting data and its secure transmission, then they are doing well. The same thing can be said about the segmentation of client data and critical infrastructure, as many breaches could have been easily avoided, or at least its impact could have been reduced, by storing sensitive customer data in a different place than where their vendor portal resided.

Not separating the database from the web server would be the worst mistake by any vendor as it makes it easier for a hacker to access it. So, a database should reside on a separate database server located behind a firewall, not in the DMZ with the web server. While this makes for a more complicated setup, the security benefits are well worth the effort.

What security training do your development and testing teams receive?

This question is for vendors providing the software solution and has its own weightage in assessing the vendor’s position in securing your organization’s data. Vendors’ negligence to perform secure programming creates a huge loophole in security infrastructure for rampant attack vectors and automated attacks. Thus, it is essential to acquire security related training to allow their employees to practice and accomplish their task securely.

What is your disaster recovery plan?

Asking this question is highly recommended and essential because it tends to reveal how proactive a vendor is in keeping up with their own data security and disaster planning. Their answers would indicate how vigilant they are likely to be when things hit the fan. An active and dedicated information security team can make a huge difference when it comes to sharing relevant threat data and detailing exact plans for technology outages to minimize financial loss in both your business and theirs.

If the vendor does not have any recovery plan, it is risky to rely on them. In many cases, the attacker targets the vendor first to gain the organization’s details. Associating with a vendor that doesn’t pose an effective security posture with recovery plan is not worth it.

As establishing a foolproof security layer in an organization is highly necessary and should be addressed with extreme caution, enforcing an internal Service-Level Agreement (SLA), security policies and contract will help a lot. Add to that the fundamental questions discussed above that can help in choosing your security vendor, which is the defining posture of your organization’s security. Moreover, these questions will create a broader picture of what you are getting and how reliable the vendor will be for your organization and its market growth.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.