Using NIST Cybersecurity Framework to Assess Vendor Security

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish this, you need to know company details such as ownership specifics, company size, products offered, and headquarters location. You need to understand the company’s financial position, or more specifically, are they financially stable enough to fulfill their obligations for the foreseeable future. You need to know if the vendor will do what they promise. You also need to know how well the vendor is going to protect your data.

Vendors that provide IT Services have additional due diligence requirements. You need to make sure contract language includes the right to audit the vendor’s security progam, data security measures, and data ownership. You need specific security considerations, incident response procedures, and for cloud-based IT service—for which the NIST 800-145 definition is referred to in FFIEC guidance, but in reality is not really being used—there are additional data security questions that need answers.

Ultimately, you as the person responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity posture. So how do you find that out? You can ask for an audit of their security controls, which typically comes back in the form of a Service Organization Controls (SOC) report. There are several types, but the two most common and important are: SOC 1 Type 2 that reports on the design and effectiveness of internal controls over financial reporting (following the SSAE 16/18 standard); and SOC 2 Type 2 that reports on the design and effectiveness of trust service principles such as security, confidentiality, and availability.

Not that you have a choice, but in most cases the SOC 2 Type 2 is the best report for assessing Cybersecurity. The SOC 1 report, however, is the most common for reasons that would take too long to explain.

Because there is discretion as to which and how many of the five (5) Trust Services Principles are actually examined during and reported on during a SOC 2 engagement, not all audit reports are the same. You have to dig into some details to understand what is being reported.

For example, if an IT Service Provider has SOC audit performed on their corporate network and outsources application development and data center hosting, you’ll essentially be left with a meaningless document.

The ordinary steps to perform SSAE 16 review are:

  • Pinpoint findings without adequate management responses
  • Provide complementary user entity controls to system owner and/or IT

But I don’t want anybody to be ordinary. Get a free copy of our Vendor Cybersecurity Assessment Template.

To be a vendor Cybersecurity assessment Jedi, use the Framework you must.

  • Review description of system
  • Search for “subservice”
  • Use function, category, or sub-category (depending on your technical expertise and comfort level) to ensure control objectives are covered.

Using the partial image above, we could search through the SOC report in a structured manner using the Framework as a guide.

If we were using the sub-categories of the Framework, we would check the vendor’s report for a control that outlines ‘response plans incorporate lessons learned’ or something very similar. They we would look to see if ‘response strategies are updated.’

Using it in this way to walk through any kind of vendor security audit report, the NIST Cybersecurity Framework provides an excellent framework to work from when reviewing vendor security controls.

Additional Resources

“Technology Service Provider Strategy—The FFIEC’s members will expand their focus on technology service providers’ ability to respond to growing cyber threats and vulnerabilities.”