Information Security

Hello community!

Related to the third party due diligence process, I have been challenged lately with the question of "how can we improve the visibility of our third parties risks as part of the due diligence process?" Now, our due diligence process in based in a control framework (based on NIST) and we request some "documental" evidences for some of the controls (i.e. Security Policy) but, we are thinking on include some technical controls or checks that helps us to confirm the cybersecurity posture of our third parties. Does anyone using this approach? Any commercial platform recommeded? We are thinking on using a BAS platform (Breach and Attack Simultion) like Cymulate to apply to this use case but I am wondering if someone else has already lived this same challenge and how it has been managed. 

Thanks!

Third parties MIGHT agree to work with you on certain testing. None essentially will say: "Feel free to pentest me at will". Your approach will be case by case and ultimately not be consistent. I strongly suspect most organizations will not agree to your concept and refer you to their documentation. Might be worth thinking about the overall importance of the business relationship before considering these ideas further, particularly with the internal business relationship managers.

We are currently utilizing an active cyber-security monitoring platform that provides additional visibility into our third party's risks. There are many on the market, but a few popular platforms offering this service include BlackKite, UpGuard, and SecurityScorcard. The platform we utilize employs the Factor Analysis of Information Risk (FAIR) model which aims to quantify the amount of risk each vendor presents to your organization. Additionally, the platform will compare the information pulled against multiple technical frameworks (including NIST, ISO and CAIQ for cloud providers) producing a compliance score for each framework. Some platforms also offer real-time vulnerability updates and reports (including remediation recommendations) that can be shared with vendors as part of ongoing monitoring. 

I could go on for a while about this, so I'll keep it short. However, I just wanted to give a quick overview of how my organization is gaining more insight into our vendor's cybersecurity posture. Best regards!