Great Vendor Tools Does Not = Security | Pivot Point Security
When it comes to vendor due diligence, I often see organizations make the mistake of overlooking one key aspect.
For example, you could buy the best lock in the world from a top tier vendor for your front door, but if you fail to lock it, the entire solution fails. Many organizations utilize top tier cloud services like Amazon Web Services (AWS) or Microsoft Azure and make the mistake of thinking that they’re safe because they’re using a top tier provider. I can’t count how many times I’ve seen system misconfigurations and a lack of understanding of shared responsibility.
The Federal Financial Institutions Examination Council (FFIEC) recently published guidance on risk management for cloud computing services. Within this guidance, they stressed the importance of reviewing the responsibilities of the cloud provider in addition to the responsibilities of your own organization. You cannot assume that comprehensive and effective security controls are in place just because you are using a top tier vendor. You need to carefully analyze and determine which controls your organization needs to put in place to ensure that the total solution is secure.
Vendor risk management cannot be viewed as only the vendor risks. You need to self-reflect and understand what controls you have in place that work together with the vendor’s controls. To perform true vendor risk management, you need to understand the “total solution risk”.
At Pivot Point Security, we’ve developed our Accelerated Vendor Due Diligence tool to address this shared responsibility issue in a manner which is faster and easier to scale than any solution out there. Contact us today for more information.
Through our 17 years of experience, we’ve collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Originally published at https://www.pivotpointsecurity.com on September 28, 2020.