One of the most complex information security challenges is ensuring a proper level of protection when a third-party is involved. In most cases, there is no direct control over the vendor infrastructure. This means we must rely on contracts and/or agreements and, in the end, trust our partners will follow defined security requirements.
Also, since the human factor plays a key role in today’s corporate data protection, providing a proper level of education and awareness for third-party personnel creates yet another challenge that every chief information security officer (CISO) must undertake. But this challenge is usually quite different from training a company’s own employees — as in any relationship with a vendor, a clash of different corporate cultures is expected.
This complex situation is a reality at Magnesita Refractories, one of the leaders in the refractories solutions and services global market. With plants and offices in several counties, including Brazil, Argentina, Germany, China and the U.S., there is no lack of relationship with third-parties and IT vendors. As the person in charge of managing this arduous task, Magnesita’s Global Information Security Officer Bernardo Martins Horta spoke with InfoSec Institute on how third-party and vendor security risks are handled in practice.
InfoSec Institute: What are the biggest challenges with managing vendor-related security risks? Could you provide any examples?
Mr. Horta: One of the most common challenges related to vendors is how “well hidden” their information can be. That fact makes it quite difficult to perform tasks such as security assessments and enforcing important controls like data leak prevention, especially in cases where intellectual property is stored and processed in a third-party infrastructure or services. If this situation is not managed properly, it may reduce the effectiveness of any incident response plan in the event of a third-party failure or data breach events.
InfoSec Institute: How do you ensure vendors comply with your company’s security policies? Are they required to sign-off on security policies or provide any other form of compliance evidence?
Mr. Horta: We currently do not require vendors to comply with the full set of corporate security rules. This limitation is due to some technical requirements and related processes, including the ones based on user behavior, being too hard to monitor or generate indicators.
Instead, we implemented preventative and reactive security controls, including a mandatory NDA sign off at every new contract with a vendor. This agreement mentions every corporate security policy and norms, making sure vendors understand our security strategy, including the controls and rules that must be followed and the consequences of non-compliance. One of our contract manager’s key responsibilities is performing a monthly evaluation concerning the vendor’s security behavior. Also, whenever feasible, technical requirements are monitored and, in the case of a non-compliance, it is possible to take the necessary action and notify the affected vendor.
InfoSec Institute: Are vendors involved in security awareness training? If so, are they trained together with company employees?
Mr. Horta: We offer the same training tools to both employees and vendors. In the case of security awareness training, it is only mandatory for vendors with personnel that must have access to IT assets.
InfoSec Institute: Do you audit vendors’ security controls?
Mr. Horta: Not specifically, but when a security audit happens, we make sure its scope includes any pertinent vendor.
InfoSec Institute: What role does security play when selecting vendors? Are they required to have any certification (e.g., ISO 27001)?
Mr. Horta: Basically, our company ensures the internal information security checklists are being followed by our acquisitions department. Currently, we do not require any specific certification for vendors.
InfoSec Institute: In your opinion, what is more difficult: Enforcing security awareness to third-party personnel or employees?
Mr. Horta: Enforcing awareness on a third party may be a little harder, but as for “following security rules,” employees are more of a challenge. Awareness comes as a result of innovative actions and the continuous effort of making users think before taking an action. That is easier to administer when we have the same group in training over a long period, such as employees.
InfoSec Institute: As a final word, what do you think most companies should do to enforce security to vendors?
Mr. Horta: This is not a question of what they “should do” but what they “must do.” I suggest starting by defining that the business area responsible for vendors (e.g., purchase department or contract management department) must include information security compliance requirements, both as a mandatory part of the hiring process and ongoing service evaluation.
Complementary to that, the risk and/or compliance office must perform periodic assessments and use the findings as a basis for actions such as improving a vendor security level or even discontinuing a contract if necessary.