Skip to main content

Vendor Assessment

Updated Jan 30, 2024 ·

Overview

Vendor assessments are crucial processes that organizations use to evaluate the security, reliability, and performance of external entities that provide goods or services. This ensures that all external partners meet the necessary standards to protect organizational interests and data.

Entities

  • Vendors

    • Businesses or individuals that provide goods or services to an organization.
    • Evaluate the overall business practices, financial stability, and security measures of vendors.
    • Ensure that vendors comply with relevant industry standards and regulations.

  • Suppliers

    • Individuals involved in the production and delivery of products or parts of products.
    • Assess the quality of products and services provided by suppliers.
    • Verify that suppliers have reliable processes for production and delivery.

  • Managed Service Providers (MSPs)

    • Individuals hired to manage IT services on behalf of the organization.
    • Review the MSPs' capabilities in managing and securing the services they provide.
    • Ensure that MSPs have robust security protocols in place to protect client data and infrastructure.

Pentesting of Suppliers

Penetration Testings are simulated cyberattacks against the supplier's system to checked for exploitable vulnerabilities.

  • If a vulnerability is found, this could indicate that the supplier's software could be a risk to your systems.
  • The goal is to validate the service provider, since their risks could become the company's risks.

For more information, please see Penetration Testing.

Review the Contracts

When reviewing the contracts, you should verify that you have the right to audit clause included in the contract. This will grant your organization the right to evaluate vendor's internal processes and ensure that they're in compliance with the agreed upon standards.

  • Could include the right to audit the data handling, storage, and protection practices of the vendor.
  • Not about the lack of trust, but to ensure transparency and that vendors adhere to best practices.

Internal Audit

Vendor's self-assessment where they evaluate their own practices againsts industry standards or organizational requirements.

  • Vendors can present evidence of consistent and comprehensive internal audits.
  • These can serve as a testament to their commitment to security and quality.

Independent Assessment

Independent Assessments are evaluations conducted by third-party entities that have no stake in the organization's or vendor's operations.

  • Neutral party, ensures vendors adhere to security or performance standards.
  • Independent bodies, like ISO.

Supply Chain Analysis

Used to dive deep into a vendor's entire supply chain and assess the security and reliability of each link.

  • Vendor' security is not just about their practices, but also their entire supply chain's integrity.
  • Scrutinize the locations where hardware vendors source their parts.