Categories Topics
Third-party Security

Vendors, partners, contractors or other third parties must manage and protect information in accordance with the organization's information security policies and standards. 

The following controls should be implemented, at minimum, to ensure third parties adhere to information security policies and standards:
  • A supplier risk or security assessment and audit of third party
  • Appropriate contract signed by the third party that includes information protection requirements
  • A logical and physical site review conducted
  • Closure of security gaps if identified in risk assessment or audit
Third parties that process, store or access sensitive information (e.g. confidential or secret) should be reviewed periodically to ensure third party controls are appropriate for data protection.  Examples of third parties could include business process outsourcing, application development outsourcing, consulting, call centers, and data centers to name a few.  Frequency of reviews should also be determined based on risk of third party as determined by data types, volume and frequency of records sent to the third party.  For example, higher risk, medium risk and lower risk vendors may require annual, biennial, and triennial reviews, respectively.

Some examples of controls that should be checked at the third party include, but not limited to: encryption of sensitive information stored, processed, or transported; strict access controls to systems and data; vulnerability and web application security assessments; patch and configuration management process; and physical access controls, to name a few.

For those third parties that may not provide sufficient data protection controls, organizations may use assessment results to justify moving to other third parties that may offer competitive services with better controls.  Alternatively, organizations should request third parties to close gaps as a requirement for vendor contract renewals.  It's ultimately the organization's brand and image that's on the line in the event of a data breach at the third party, so assessments are critical part of information security program.

Topic Category
Risk Management
News Articles
Inbenta, blamed for Ticketmaster breach, says other sites not affectedwww.zdnet.com6/28/2018
Restaurant Chain Struck by Payment Card Data Breachwww.tripwire.com6/28/2018
Impact Of Chat Service Breach Expands To Best Buy, Kmartthreatpost.com4/9/2018
General Services Administration (GSA) Pointing to New IT Security Rules for Contractorswww.tripwire.com3/5/2018
Swisscom data breach exposes 800,000 customerswww.tripwire.com2/8/2018
50,000 Australian Employees’ Personal Data Exposed Onlinewww.tripwire.com11/2/2017
CCleanup: A Vast Number of Machines at Riskblog.talosintelligence.com9/18/2017
Millions of game accounts exposed in data breach, responsibility thrown to the windwww.zdnet.com4/20/2017
Bank gets lesson in the security failings of third partieswww.computerworld.com4/11/2017
Scottrade Confirms Third-Party Data Breach Exposed 20,000 Customers’ Private Datawww.tripwire.com4/6/2017
Third-Party Twitter Service Hacked to Push Out Nazi-Themed Tweetswww.tripwire.com3/15/2017
Hackers steal personal data of thousands of hospital staffwww.zdnet.com3/13/2017
U.S. intelligence to share supply chain threat reports with industrywww.computerworld.com8/15/2016
uTorrent Forums Users Urged to Change Passwords After Breachwww.tripwire.com6/9/2016
Google Employees’ Information Compromised via Third-Party Vendorwww.tripwire.com5/9/2016
Amex account data might have been exposed in breach at third-partywww.scmagazine.com3/14/2016
Government budget agency drafts contractor cybersecurity guidelineswww.scmagazine.com8/11/2015
NIST issues 'don't be stupid' security guidelines for
Hotel Beacon payment card processing systems compromisedwww.scmagazine.com6/4/2015
IRS Statement on the "Get Transcript" Applicationwww.irs.gov5/27/2015
130K users' data leaked via China's train ticketing sitewww.zdnet.com12/26/2014
Dropbox blames other services for claimed 7 million password hackwww.zdnet.com10/14/2014
Leaked Snapchat videos and pictures posted onlinewww.zdnet.com10/13/2014
Chinese hackers breached US military contractors, says Senate reportnakedsecurity.sophos.com9/19/2014
A wake-up call for
Third-Party Software Library Risks to be Scrutinized at Black Hatthreatpost.com7/22/2014
Most health care vendors earn 'D' in data protection, study findswww.scmagazine.com6/27/2014
Ad network compromise leads to rogue page redirects on Reuters sitewww.computerworld.com6/23/2014
Financial Services Companies Facing Varied Threat Landscapethreatpost.com4/16/2014
Ethical hacker backer hacked, warns of email
How hackers stole millions of credit card records from Targetwww.zdnet.com2/13/2014
Target Hackers Broke in Via HVAC Companykrebsonsecurity.com2/5/2014
Yahoo Mail accounts breached with stolen
Target traces security breach to stolen vendor credentialswww.zdnet.com1/30/2014
Are contractors the weak link in your security chain?nakedsecurity.sophos.com12/9/2013
Nearly 50k patient credit cards compromised by insiderwww.scmagazine.com10/10/2013
More details emerge on extent of ticketing company breachwww.scmagazine.com7/4/2013
AMI Firmware Source Code, Private Key Leakedthreatpost.com4/5/2013
Medical records of 2k patients left unprotected on contractor's serverwww.scmagazine.com4/5/2013
Report: Among simple, yet effective web app attacks, cloud environments hit hardestwww.scmagazine.com3/26/2013
Bank of America says data breach occured at third partywww.computerworld.com2/27/2013
Business Partners Give Hackers Easy Access to Secure Firmsthreatpost.com2/6/2013
Big Bank Mules Target Small Bank Businesseskrebsonsecurity.com1/28/2013
U.S. Health Department unveils new HIPAA ruleswww.scmagazine.com1/22/2013
Kaiser Permanente Case Underscores Due Diligence Requirementthreatpost.com1/7/2013
Questions still need to be answered on the Verizon ‘hack’www.infosecurity-magazine.com12/28/2012
Pentagon Deploying DARPA to Wage War on Backdoorsthreatpost.com12/4/2012
Hackers break into two FreeBSD Project servers using stolen SSH keyswww.computerworld.com11/19/2012
Security report: Enterprises place reckless trust in third-party software supplierswww.zdnet.com11/15/2012
Oops: E-Mail Marketer Left Walmart, US Bank and Others Open to Easy Spoofingwww.wired.com10/30/2012
Supply Chain Woes: Human Error or Something Else Entirely?www.darkreading.com10/28/2012
ISF launches multi-organization standards initiative to tackle supply-chain securitywww.infosecurity-magazine.com10/19/2012
Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telventkrebsonsecurity.com9/26/2012
Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweepkrebsonsecurity.com9/13/2012
Patient data outage exposes risks of electronic medical recordswww.latimes.com8/3/2012
FDA investigates how confidential files went publicwww.nextgov.com7/16/2012
Upsurge in targeted attacks against small businesseswww.zdnet.com7/13/2012
Nvidia suffers data breach; investigation under waywww.zdnet.com7/13/2012
Cyberattack exposes 123,000 TSP accountswww.govexec.com5/25/2012
Revised Guidance on Payment Processor Relationshipswww.fdic.gov1/31/2012
Final phase of Mass. data protection law kicks in March 1www.computerworld.com1/25/2012
Stanford Hospital blames contractor for data breachwww.computerworld.com10/6/2011
Honda US cops to vast data snaffle from marketing
White Papers
2013 Internet Security Threat Report, Volume
Third-Party Security Policy
Implementation of Interagency Programs for the Supervision of Technology Service ProvidersFFIEC10/10/2012
NIST Cloud Computing Synopsis and RecommendationsNIST5/29/2012
NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and OrganizationsNIST4/9/2015