Using NIST Cybersecurity Framework to Assess Vendor Security
Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.
To accomplish this, you need to know company details such as ownership specifics, company size, products offered, and headquarters location. You need to understand the company’s financial position. More specifically, you need to know if they are financially stable enough to fulfill their obligations for the foreseeable future. You need to know if the vendor will do what they promise. You also need to know how well the vendor is going to protect your data.
Vendors that provide IT services have additional due diligence requirements. You need to make sure contract language includes the right to audit the vendor’s security program, data security measures, and data ownership. You need specific security considerations, incident response procedures, and for cloud-based IT service—for which the NIST 800-145 definition is referred to in FFIEC guidance, but in reality is not really being used—there are additional data security questions that need answers.
Ultimately, you as the person responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity posture. So, how do you find that out? You can ask for an ISO compliance audit, NIST audit, or any of their security controls, which typically comes back in the form of a Service Organization Controls (SOC) report. There are several types, but the two most common and important are: SOC 1 Type 2 that reports on the design and effectiveness of internal controls over financial reporting (following the SSAE 16/18 standard); and SOC 2 Type 2 that reports on the design and effectiveness of trust service principles such as security, confidentiality, and availability.
Not that you have a choice, but in most cases the SOC 2 Type 2 is the best report for assessing Cybersecurity. The SOC 1 report, however, is the most common for reasons that would take too long to explain.
Because there is discretion as to which and how many of the five (5) Trust Services Principles are actually examined during and reported on during a SOC 2 engagement, not all audit reports are the same. You have to dig into some details to understand what is being reported.
For example, if an IT Service Provider has SOC audit performed on their corporate network and outsources application development and data center hosting, you’ll essentially be left with a meaningless document.
The ordinary steps to perform SSAE 16 review are:
- Pinpoint findings without adequate management responses
- Provide complementary user entity controls to system owner and/or IT
Rivial wants to make sure you aren't settling for being ordinary. Get a free copy of our Vendor Cybersecurity Assessment Template.
To be a cybersecurity assessment Jedi, use the Framework you must.
- Review description of system
- Search for “subservice”
- Use function, category, or sub-category (depending on your technical expertise and comfort level) to ensure control objectives are covered.
Using the image above, we could search through the SOC report in a structured manner using the Framework as a guide.
If we were using the sub-categories of the Framework, we would check the vendor’s report for a control that outlines ‘response plans incorporate lessons learned’ or something very similar. They we would look to see if ‘response strategies are updated.’
Using it in this way to walk through any kind of vendor security audit report, the NIST Cybersecurity Framework provides an excellent framework to work from when reviewing vendor security controls.
- FFIEC Handbooks - http://ithandbook.ffiec.gov/
- NCUA Guidance - http://www.ncua.gov/Resources/Documents/LCU2008-pdf
- FDIC Guidance - https://www.fdic.gov/news/news/financial/2008/fil08044a.html
- SSAE 16/18 Details - http://www.ssae16.org
- NIST Cybersecurity Framework - http://www.nist.gov/cyberframework/
- Future Considerations - https://ffiec.gov/press/pr031715.htm
“Technology Service Provider Strategy—The FFIEC’s members will expand their focus on technology service providers’ ability to respond to growing cyber threats and vulnerabilities.”