Vendor Assessment

(OBJ 5.3)

Process to evaluate the security, reliability, and performance of external entities
Crucial due to interconnectivity and potential impact on multiple businesses

Vendors
- Provide goods or services to organizations
Suppliers
- Involved in production and delivery of products or parts
- Example:
  - A computer manufacturer might have multiple suppliers, with one providing processors, another providing memory, etc.
Managed Service Providers (MSPs)
- Manage IT services on behalf of organizations
- Example:
  - A cloud service provider: AWS, Google Cloud, etc.
    - Used to manage vast data infrastructures so your organization can instead focus on their core competencies.

Penetration Testing
- Simulated cyberattacks to identify vulnerabilities in supplier systems
Goal: Validates supplier's cybersecurity practices and potential risks to your organization
If a vulnerability is found, this is an indication that the software could be a risk to your organization's cybersecurity posture.
When you are reviewing your contract with the vendor, you should verify that you have a right to audit clause included inside of that contract.
- Grants your organizations the right to evaluate vendors and ensure that they are in compliance with the agreed upon standards.

Contract provision allowing organizations to evaluate vendor's internal processes for compliance
Ensures transparency and adherence to standards

Vendor's self-assessment of practices against industry or organizational requirements
Demonstrates commitment to security and quality
Example:
- A Cloud service provider might regularly audit its data protection measures to ensure that encryption protocols are up-to-date.

Evaluations conducted by third-party entities without a stake in the organization or vendor
Provides a neutral perspective on adherence to security or performance standards
Example:
- International Organization for Standards (ISO) is an independent body that might assess the data center's practices against its global standards to ensure they're meeting or surpassing the benchmarks.
- Invaluable for organizations to minimize their exposure to risk.

Assessment of an entire vendor supply chain for security and reliability
Ensures integrity of the vendor's entire supply chain, including sources of parts or products
Example:
- A Hardware vendor might source parts from other locations, scrutinize each of these source locations to ensure no risk of counterfeit parts or tampered products.