We are currently utilizing an active cyber-security monitoring platform that provides additional visibility into our third party's risks. There are many on the market, but a few popular platforms offering this service include BlackKite, UpGuard, and SecurityScorcard. The platform we utilize employs the Factor Analysis of Information Risk (FAIR) model which aims to quantify the amount of risk each vendor presents to your organization. Additionally, the platform will compare the information pulled against multiple technical frameworks (including NIST, ISO and CAIQ for cloud providers) producing a compliance score for each framework. Some platforms also offer real-time vulnerability updates and reports (including remediation recommendations) that can be shared with vendors as part of ongoing monitoring.
I could go on for a while about this, so I'll keep it short. However, I just wanted to give a quick overview of how my organization is gaining more insight into our vendor's cybersecurity posture. Best regards!
Original Message:
Sent: 10-23-2023 11:38 AM
From: Anonymous Member
Subject: Technical checks on Third party Due Diligence
This message was posted by a user wishing to remain anonymous
Hello community!
Related to the third party due diligence process, I have been challenged lately with the question of "how can we improve the visibility of our third parties risks as part of the due diligence process?" Now, our due diligence process in based in a control framework (based on NIST) and we request some "documental" evidences for some of the controls (i.e. Security Policy) but, we are thinking on include some technical controls or checks that helps us to confirm the cybersecurity posture of our third parties. Does anyone using this approach? Any commercial platform recommeded? We are thinking on using a BAS platform (Breach and Attack Simultion) like Cymulate to apply to this use case but I am wondering if someone else has already lived this same challenge and how it has been managed.
Thanks!