Evaluating a third-party’s policies and practices
To minimize third-party vendor risk, companies need to thoroughly review the information security policies and practices of their vendors before bringing them on and then at regular intervals.
Start by reviewing the vendor’s Service Organization Control 2 (SOC 2) report, an outside auditing firm’s evaluation of its controls. Make sure the vendor has implemented key security principles such as segregation of duties and “least privilege.”
The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it.
Companies should also investigate to see if a vendor has any technical vulnerabilities. For instance, does its software have all the necessary, up-to-date patches? Are its security settings properly set, allowing it to defend against unauthorized access? And is any of the vendor’s technology at the end of its life or no longer supported by the supplier?
You should review higher-risk vendors at least once a year. Also, consider reviewing vendors with access to your company’s most sensitive data and core banking processes on site, where your staff member or a contracted auditor can witness whether the vendor is actually practicing the principles such as segregation of duties and least privilege that are attested to in the SOC 2 report.
Companies can also use third-party information security ratings providers to bolster their evaluations. These providers will review a vendor’s technology controls and provide a report with a score. Be sure to choose a provider that is commonly used by your industry.
Also include in your evaluations a review of the vendor’s financial health and stability. This can tell you if the vendor is well-positioned and a healthy company, and therefore more likely to invest appropriately in information security.