We are finding many companies that have experienced a Cyber Incident are not performing even the most basic Third Party Vendor Risk Assessment.
It is absolutely imperative that if you engage with a vendor you understand the associated risks.
5 simple questions can lead you to be a better understanding of your Vendor risks and a quicker recovery from an Incident:
- Who is accountable?
- Would you be able to escalate or contact them?
- Where are they located?
- Do they have a response plan?
- Are there dedicated phone numbers or emails for reporting incidents?
- Are ticket numbers assigned and tracked?
- Is there someone who is responsible for security?
- Is there a defined role or is it an off the side of the desk of another role?
- Does the company reside in a country that has Breach Reporting responsibilities?
- Do you have a defined incident / severity matrix with set response times?
- How do you escalate an incident?
- What is your communication cadence?
- Can they demonstrate the framework they adhere to? NIST / CIS
- Do they disclose if and when they do vulnerability / penetration testing?
- Do they have any risk reports (SOC 1, SOC 2 , PCI, DSS) reports they can share?
- Do they have patch management?
James Phillips is one of the founders of MI613 Inc. He brings over 20 years experience involving investigations working with private corporations and government agencies. James dedicates most of his time to conducting network threat evaluations, working on digital forensic projects and cyber breach investigations.
Input your search keywords and press Enter.