SOURCE: LockPath, Inc.


June 05, 2015 00:00 ET

No Surprises: 16 Security Questions to Ask Your Vendors

OVERLAND PARK, KS--(Marketwired - June 05, 2015) - Odds are, your vendors are vulnerable and they're not telling you.

According to a recent survey conducted by the New York Department of Financial Services, nearly one-third of the banks surveyed don't require their vendors to alert them in the event of an information security intrusion. And that's not even the worst of the findings.

Among the other survey results:

  • Fewer than half of the banks conduct any kind of on-site vendor assessments
  • About one in five don't conduct on-sites with their service providers
  • One third of the banks surveyed said they don't hold their vendors to the same security standards as they hold themselves.


"A bank's cybersecurity is often only as good as the cybersecurity of its vendors," said Benjamin Lawsky, superintendent of the department. With so many breaches in the public eye recently, one would think that publicly traded organizations worldwide regardless of industry would be working tirelessly to assess third parties and fixing security holes. To make sure that your company stays ahead of the curve, consider the following security questions to ask your vendors:

1. How do you conduct your organization's security awareness training?
2. How do you test your employees' understanding of security policies?

These questions are essential for getting a bearing on how seriously they take security. If they answer with a detailed established process for their security awareness program complete with questions, you can probably rest easy. If not, you should remind yourself that human error accounts for nearly all major security breaches.

3. Do you notify clients of known security vulnerabilities?
4. What methods do you use to notify clients?
5. Under what circumstances does your organization report vulnerabilities to clients?

It is the policy of some vendors not to disclose a security vulnerability unless it's deemed to be dangerous to front-facing clients. Some opt not to disclose at all. Press your vendors on what constitutes a 'serious' vulnerability and ask about how they categorize risks and security issues. Prioritization of security issues is what separates the diligent vendors from their more negligent competitors. Also ask them about frequency of disclosure (when vulns are found vs. a weekly or monthly report) and in what form (email alerts vs. phone calls), because these factors could impact your business in big ways depending on circumstances.

6. How do you encrypt your data?
7. How are the encryption keys managed?
8. Do you separate customer data from your main infrastructure

If your vendors are giving you detailed feedback about their practices, such as their methods of encrypting data at rest vs. data in transit, they're on the right path. The same thing can be said about segmentation of client data and critical infrastructure, because many of last year's large breaches could have been easily avoided, or at least their impact lessened, by storing sensitive customer data in a different place than where their vendor portal resided.

9. What data protection standards have you achieved?
10. What best practices do you follow?
11. How do you prove compliance and provide records of best practices?

Whether your organization prefers certification from ISO 27001, SSAE16 or Safe Harbor, those security standards are doubly important in your vendors as you have much less control over entities outside of your company, and ostensibly, the data you share with those vendors. If your vendors can outline the process by which they can document attestation procedures as well as keep a record of all mitigation actions, they're staying ahead of the curve. LockPath's Keylight solution for third-party management allows for automated assessments to ensure vendor compliance with such certifications.

12. Does your organization follow current threat trends?
13. Do you have dedicated internal teams for simulating malicious attacks and fixing security holes?
14. What is your business recovery plan?

These questions are particularly important to highlight because they tend to reveal how proactive a vendor is in keeping up with their own data security and disaster planning. Their answers also indicate how vigilant they're likely to be when things hit the fan. An active and dedicated information security team can make all the difference when it comes to sharing relevant threat data and detailing exact plans for technology outages in order to minimize financial loss to both your business and theirs.

15. How often do your clients and vendors assess your data security?
16. How about physical security assessments?

This last item is a direct callback to a few of the findings of the NY DFS survey mentioned earlier. Sometimes it's a good idea to go by the adage of 'seeing is believing' and request to perform regular on-site security assessments, either by members of your team or a trusted assessor. Asking these kinds of questions can usually give you a better idea of not only what some of their other clients are expecting, but also how highly they value client trust and confidence in security.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available:

Contact Information