MI613 Inc

Lessons learned from Incident Response

Understanding Third Party Vendor risk

We are finding many companies that have experienced a Cyber Incident are not performing even the most basic Third Party Vendor Risk Assessment.

It is absolutely imperative that if you engage with a vendor you understand the associated risks.

5 simple questions can lead you to be a better understanding of your Vendor risks and a quicker recovery from an Incident:

1. Is there an identifiable Leadership Team ?

- Who is accountable?
- Would you be able to escalate or contact them?
- Where are they located?

2. Do they have an Incident Response Plan and Reporting Structure?

- Do they have a response plan?
- Are there dedicated phone numbers or emails for reporting incidents?
- Are ticket numbers assigned and tracked?

3. Who is responsible for security within their organization?

- Is there someone who is responsible for security?
- Is there a defined role or is it an off the side of the desk of another role?
- Does the company reside in a country that has Breach Reporting responsibilities?

4. Do you have a Service Level Agreement for responding to Incidents?

- Do you have a defined incident / severity matrix with set response times?
- How do you escalate an incident?
- What is your communication cadence?

5. Can they demonstrate their current level of Cyber Security compliance?

- Can they demonstrate the framework they adhere to? NIST / CIS
- Do they disclose if and when they do vulnerability / penetration testing?
- Do they have any risk reports (SOC 1, SOC 2 , PCI, DSS) reports they can share?
- Do they have patch management?