This is an interesting dilemma,
and a question I hear regularly. It goes like this:
“We have a lot a vendors that
don’t want to fill questionnaires out at all. What do vendors think of
SecurityStudio?”
My answer to this is always the same…
3 or 4 years ago, when vendor
risk management programs were largely nonexistent, vendors would push back on
security questionnaires. They would dodge, avoid, argue irrelevance,
hide, ignore, answer cryptically, lie (in some cases, yes they do), get answers
wrong, etc. Basically everyone was trying to avoid having to fill out any
information about security programs.
Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare orgs, finance, etc. We’re a vendor, and we expect our customers to ask us about our security.
So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me.
There are only a few reasons for not being forthcoming to a customer or prospect:
What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
The vendor is a big enough company that they don’t need to respond to prospective customers.
A security program isn’t in place or the vendor doesn’t know how to answer the questions.
Each scenario is bad for me as a risk manager:
Even if you say you’re highly secure, it’s my responsibility to make sure. So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing. From my side, I can’t just take their word for it. So give me something.
Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.
When deciding if you should “fire” a vendor, there are many things to consider:
Someone in your organization likely wants to do
business with this vendor.
It could be a significant deal for your organization. That
adds pressure to push them through.
How significant is the risk and what could happen to you if they
get breached?
There are many more factors
obviously, but the point is that it is usually extremely hard to
fire a vendor that the business wants to work with. If you have the
authority to pull that trigger, then I would advise using it sparingly.
We enlist the business to help us get the assessment results back if needed,
and we prefer to push them into remediation rather than firing them.
SecurityStudio makes remediation really easy, so we prefer to just build
remediation plans they can work on. That way everyone is winning!
I would only fire a vendor if all these questions get answered “yes”:
They simply won’t give us information.
They argue and avoid enough that they give me the sense that they don’t have a security program.
The business has alternative vendors that they can use, and they are ok with the firing.
Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor. That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway. This is more than just CYA, it’s an important part of the partnership between security and the business. We don’t want to shut them down, we just want to manage our risk. They have the right to accept the risk of a vendor that won’t cooperate. (document, document, document)
The feedback we get regarding vendor willingness to use SecurityStudio has been really good. Yes, we have definitely seen the same types of patterns (avoidance, arguing, ignoring) but that’s what SecurityStudio is built to overcome. Automated reminders, questions written in common language, an appealing interface, etc. all contribute to a positive experience for vendors too. So yes, they have to do something, but the feedback we’re getting is that vendors like the way SecurityStudio works for them. Make it easier for yourself and company, and schedule your demo for SecurityStudio today!
https://securitystudio.com/wp-content/uploads/2019/03/SecStu_Banner_FireAVendor_1200x628.jpg6281200SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2019-03-11 13:03:162021-09-01 21:41:37How To Know If You Should “Fire” a Vendor
Within a busy organization, vendor risk management (VRM) can feel like an ideal concept, but can also seem far out of reach. Armed with a vendor risk management checklist and VRM software, like SecurityStudio, and establishing a vendor risk management program is well within grasp and can take less time, energy, and resources than expected. The first step to creating a VRM program is to develop a plan.
1. Develop a Plan
The first step in creating a VRM program is to create a plan. Simple enough, especially with a VRM software program like SecurityStudio. The great thing about using a program like SecurityStudio is that the vendor risk management workflow is already built in along with most communication. Everything is centrally located in the program, and vendors move from one phase to the next with everything in plain view. Most quality VRM programs include a classification phase, and then vendors are typically assessed followed by a treatment plan. Then there’s steps to repeat the process. With a plan like this the risk manager (administrator) will need to surround themselves with a quality team to execute the plan.
2. Assemble your Team
As with any vendor risk management program, the risk manager will want a group of professionals to help with inventorying vendors and classifying them. Talking to your team members and making sure that everyone is onboard will help with participation, and most importantly that they are given context as to how important information security and this particular vendor risk management checklist are to the organization. Team members can lose focus as to how important their role is partly due to the tedious nature of tracking down information. Putting a date on task also helps with motivating people with completing them.
3. Determine a Timeline
Putting a timeline on tasks for both the team members and vendors helps with moving the process along. If there’s not a timeline, then it’s easy for the vendor risk management program to be put to the side. Software programs, such as SecurityStudio, have built-in timelines, but the due dates and timelines can be customized if needed.
4. Inventory of Vendors
Taking inventory of the organization’s vendors is a key step in becoming defensible. Whether the organization is using a software program or a spreadsheet, there needs to be a list of vendors that can pose a possible risk in order to be defensible. This would seem like common sense, but in a lot of situations where organizations don’t utilize a vendor risk management software program, there are incomplete, inaccurate, or outdated spreadsheets floating around in employees’ inboxes. This alone could make a case for software program like SecurityStudio, where all vendors are located in one centralized location.
5. Designating a Relationship Owner
The security analyst, risk manager, administrator of the program, or
whoever is assigned these responsibilities (usually the same person) is not
necessarily the right person who would have access to contact information or
would have direct vendor information to accurately answer classification
questions. Generally, the person who
works directly with the vendor will be able to answer the questions most
accurately. Of course, this can vary
between organizations.
6. Categorizing/Classifying Vendors
Classifying and Categorizing vendors is arguably the most important stage
of any VRM program. VRM programs will measure
the risk of each vendor, and with software programs like SecurityStudio, this is
done efficiently and objectively. The
decisions made at this stage will set the tone and precedence for all future
stages. In short, if you’re going to get
one stage right, this is the one. An
assessment is sent based on this classification.
7. Assess your Vendors
After the classification stage, an assessment is sent based on the
results. This is especially true for
vendor software programs like SecurityStudio.
Assessments vary in length and scope based on classification, but it’s
best practice to have binary answers to assessment questions of either true,
false, or N/A. If a vendor does have a
conditional answer they will be able to explain the answer in another stage
(usually during remediation). Having
binary answers to assessments will create a stronger, more objective,
assessment.
8. Establish your Threshold
As vendors start completing assessments, it becomes time to establish
best practices if the organization hasn’t already done so. For whatever method your organization chooses
to assess vendors, there should be a minimum threshold as to how much risk the
organization wants to take on. In
SecurityStudio, where the scoring is based on a scale similar to a credit score,
the program has a recommended threshold, but organizations are able to set
their own threshold based on objective results.
Whichever method is chosen, it’s best practice to apply the same
standards for all vendors or vendors within a set industry.
9. Choosing a Treatment Plan
Once the assessment results come back, then it’s up to the organization
to determine what to do with the results.
At times it’s a matter of just approving the results, but if the results
are not as favorable as expected, then an organization should have a plan in
place. This is another sample of a
situation where best practices should be established. If a vendor is far too
risky to work with, or if the organization wants to give the vendor a chance to
improve their results, there should be clear plan. In programs, such as SecurityStudio, it’s
relatively easy to look back on assessment results, and then choose a plan
based on them.
10. Objectively Repeat the Process
Vendor
risk management is a never-ending process, and the VRM program needs to be
repeatable in order to be effective at all.
Business relationships change and morph over time, so it would only make
sense that the VRM program should adjust to these changes. Not only would business relationships change
over time, but VRM practices will update with time. Updating the VRM program as new threats
present themselves is just as important.
With programs like SecurityStudio, the changes in security practices and updates
will be automatic and seamless.
This is what happened in the infamous case of Target Data Breach in 2013 and the vendor risk management checklist is something that might have prevented it.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
NIST CSF is voluntary guidance based on existing standards, guidelines, and practices to help organizations better manage and reduce information security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders. The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013.
NIST CSF 1.0 vs. NIST 1.1
The first version of the NIST CSF has served us well since its adoption in 2014. 5 years have passed, and the threat landscape has not been stagnant. Because of this a new version, v1.1, was adopted in 2018. Much of the framework still resembles the original v1.0 framework with changes to language that more clearly states the control(s) intent.
There are some additional categories added to v1.1 that are a result of the current emerging threats facing many organizations. Supply Chain Risk Management ID.SC (Vendor Risk Management) is an area that certainly deserves to be formally addressed by the new framework.
There are 5 sub-categories that fall under ID.SC. Let’s dig a little into each category and
look at what this means from a practical standpoint.
Supply Chain Risk
Management (ID.SC)
“The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”
https://www.nist.gov/cyberframework/identify
Translation – Your organization formally addresses the risks
associated with using 3rd party vendors to support your business initiatives.
The process is formal and has structure
to ensure you evaluate all vendors, not just the ones you feel are important.
ID.SC Subsection
NIST Language
Explained
ID.SC-1
Cyber supply chain risk management processes are identified, established, assessed, managed, and agreedtoby organizational stakeholders
Executive management requires that Vendor Risk Management processes be established. They support thiswith resources (money and staff) needed to properly manage. They communicate this requirement through governance (policies).
ID.SC-2
Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
Every vendor has been identified and classified (based on potential risk to you) regardless of the goods\services supplied. They should be evaluated with the same criteria initially with more scrutiny applied based on risk levels introduced.
ID.SC-3
Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
You can use contracts to ensure 3rd party suppliers meet your information security requirements which might be more stringent than their own internal requirements.
ID.SC-4
Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
In ID.SC-2 above, you initially evaluate 3rd party vendors and assign a risk level. That process should be repeated on a regular (annual) basis. You can focus on the higher risk vendors but you need to consider ALL vendors, even the low-risk ones.
ID.SC-5
Response and recovery planning and testing are conducted with suppliers and third-party providers
High-risk vendors, ones that could cause grave harm to your organization, should be tested for response and recovery assurances. You don’t want their lack of planning and preparedness to negatively affect your organization.
OK, Now what?
Once you determine that you will follow these sound information security principals, you will need a way to do so. Traditionally, questionnaire forms and spreadsheets were used to track vendor risk. Because of the explosion of 3rd party vendor use, this process is no longer a viable solution.
SecurityStudio allows you to address the new NIST cybersecurity framework – Supply Chain Risk Management (ID.SC) guidelines. The once cumbersome process is greatly simplified, efficient and thorough, which puts you in a defensible position.
Part of any vendor risk management program involves putting together a list of vendors. Sometimes this information can be scattered across an organization, and it takes some real wrangling to collect it all. This is why software programs like SecurityStudio are convenient- because they help create a centralized list of vendors that are easy to update as necessary. Here are key places to look for your full list of vendors:
1. Accounts Payable Specialist
The Accounts Payable Specialist is the
first place that most people look for vendors.
This is probably the most practical place to look, primarily because
most companies have to stay on top of their bills. The Accounts Payable Specialist will have all
the company invoices, and in most instances have the most comprehensive list of
vendors.
2. Internal Bookkeeping Software
Sometimes if the company is small enough, all the company debits and credits are collected in a software program and updated by either an accountant or someone who assumes this role. Usually, this type of program is managed by an Accounts Payable Specialist, but this isn’t always the case in all circumstances.
3. Department Heads
Occasionally, not all vendors will provide an invoice. What about that free software that employees install on their computers? This is still considered a vendor and poses a risk. The department head would know the day to day tasks of their employees and would have a better idea as to what’s installed on their computers and other contact with vendors.
4. Tax Forms
Maintaining a current list of vendors is imperative to any vendor risk management program, but keeping a historical list of vendors is ideal. Even though the company may not have business transactions with a previous vendor, there’s a good chance that information is kept on file with the vendor and still poses a risk. Chances are good that this information will be stored on tax forms, so this is an ideal place to look for historical vendor information.
5. Bank Statements
Bank statements are a snapshot of invoices paid and is an excellent source to look up vendors. The information may not be complete, but it’s still a way to locate vendors that may be flying under the radar.
6. Credit Card Statements
While not all vendors are going to be included on a credit card statement or even be paid via credit card, it’s still a good place to look for one of those one-off vendors that aren’t necessarily used very often, but still poses a risk.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
https://securitystudio.com/wp-content/uploads/2019/07/SecStu_Banner_FullVendorList_1200x628.jpg6281200SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2019-02-19 09:47:272021-09-01 21:41:536 Places You Can Get Your Full Vendor List
First, let’s start with the question, “why do I need to manage all vendors?”
We get asked this question all the time. If you have a vendor risk management program, then it’s likely you aren’t managing all your vendors (just the high-risk ones, or even a subset of those). The logic of focusing on the vendors that really matter seems rational, but here are some potential issues that arise with it:
How are you deciding which ones to manage?
Are you accounting for all the ways your vendors can impact you?
Are you just managing the handful of vendors that you directly share confidential data with?
Is there a specific trigger you use to pick vendors to manage? (sharing PHI for example)
From both a vendor risk and a defensibility standpoint, all those methods fall short. If you are using a manual process to manage VRM, this may be all you can accomplish given resource constraints and other priorities.
But, what happens if a breach happens within a different vendor that has access to information but hasn’t hit your radar? Or, what happens if the relationship with a vendor changes but you don’t know it changed?
There are many reasons to manage all vendors consistently. Here are a few:
You are accounting for more risk.
You can catch relationship changes and act accordingly.
You can show that you have a consistent process.
All the above reasons make you more defensible should something bad happen. And let’s be honest, you have hundreds of vendors- some of them have been breached, and some of them may be actively breached right now.
SecurityStudio makes it really easy to manage all vendors, as any good software should. Something that is basically impossible to do with a manual/spreadsheet process can be made very simple with a decent software solution.
Let’s make sure we clarify that I’m NOT saying all vendors go through the same end-to-end process. I’m saying account for them all, and once they are classified let their classification bucket (low, medium, or high risk) determine their path.
So where do you get the full list? Finance is the best place. You should be able to request a list of every vendor you have paid in the last 6 or 12 months from finance. This can be a large list. In our experience, 75% of those vendors will be low risk, which is ok. With SecurityStudio, each low risk vendor can be processed in 2 minutes per year.
So enlist finance to help. They can export a csv or xls file. Any good software, including SecurityStudio, should be able to import your vendor list. In this way, you can go from your current process to a mature VRM program basically overnight.
To get your easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
https://securitystudio.com/wp-content/uploads/2019/02/SecStu_Banner_GetFullVendorList_1200x6286.jpg6281200SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2019-02-13 12:19:452021-09-01 21:41:58How to Get Your Full Vendor List
Got a vendor risk management strategy defined? Need help?
You’re not alone.
Introduction
People are not inherently good at defining strategies. This is a problem. The problem is worse when considering information security strategy, and more worse when considering vendor (and third-party) security risk management strategy. These assertions come from observations made over more than 25 years, working with a wide variety of organizations.
If you engage in vendor risk management activities, you
should have a strategy defined. If you don’t have a strategy, then you’re going
to be less effective in achieving anything meaningful to the organization.
This article is dedicated to helping you define an effective
vendor security risk management strategy. An effective strategy will help you
achieve your organization’s goals with measurable results.
Rule of Thumb:
The larger the effort, the more important the strategy. In terms of vendor risk
management:
More vendors = more important.
More people involved in vendor management = more
important.
Now, let’s define a basic strategy together.
Start with why.
Strategies start with why.
If yours doesn’t, it’s probably not a good strategy.
Another word for why
is purpose. I prefer why because it seems that people can
relate to it better. I think this is because they can keep asking themselves
why for every piece, part, and process in whatever it is we’re trying accomplish.
Simple question. Why
are you doing, or thinking about doing, vendor security risk management?
If you don’t know the answer to this, then you have no “why”. If you struggle with your “why”, look at some
of these common ones, and consider them when developing yours:
We want to manage vendor security risk well.
We have to do it because our regulator told us we had to.
We want to be defensible, meaning to be able to defend ourselves in court when/if a vendor-related breach occurs.
Everybody else is doing it, so we should do it too.
We suffered from a vendor-related security breach in the past, and we don’t want it to happen again.
I’ll tell you our why,
where I work. We believe that managing risk is core to the definition of
information security. We can’t manage information security without managing
risk. Vendors pose a risk to the security of our information, so managing risk
must include vendors; therefore, vendor security risk management is core to our
security program.
There it is; we do
vendor security risk management because we believe that it is core to our
security program.
You can have more than one why, and I actually encourage it. The more you have, the more focus
it can bring. Now, document your why.
Document it so you don’t forget it, so you can share it with others, and so you
can make sure other parts of your strategy align with it.
Set goals.
Our goals are set by what we define as success.
Goals must be…
Measurable.
Associated with some function of time (timeline,
timeframe, deadline, etc.).
Aligned with our why.
Think of the ways you can set measurable goals on a timeline that enables your why to be adequately supported. Your why may be different than ours, but I’ll use us as an example again. We’ll use SecurityStudio in our example. Not only do we sell SecurityStudio , but we certainly use it too!
Our Why:
We believe that vendor security risk management is core to
our security program
Goals:
To support our vendor security risk management efforts, we
have defined the following goals:
100% of all vendors will be inventoried in a central repository by 3/1/2019.
100% of all vendors will be classified according to inherent risk (sometimes called “impact”) by 6/1/2019.
All high and medium impact vendors will be assessed for residual risk by 1/1/2020.
Every vendor will be re-classified on an annual basis by the 1st of each year.
All high impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
All medium impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
At no time will a vendor S2SCORE of 600 or less be accepted by the organization.
Define how.
Now this is where the rubber meets the road. A strategy is
worthless if it can’t be enacted or executed against. How will we accomplish
our goals? In order to achieve the goals that we’ve set, we’re probably going
to need something, or maybe a lot of somethings.
Obviously, one of things that we leverage is SecurityStudio. If you don’t use SecurityStudio, you can either choose to use it, or you’ll need to find something else. If you’re unsure of SecurityStudio and/or how to implement it, schedule a demo with us today. Whatever you use, it must allow you to accomplish all of your goals. SecurityStudio is one thing, but you’re going to need more. You’ll also need (at a minimum):
A policy. See our previous article about developing and using a vendor security risk management policy (/blog/vendor-risk-management-policy/). There’s even a free policy template there.
Personnel (or time). Somebody will need to do the work. SecurityStudio takes all of the dirty-work out of way, but there still needs to be some involvement. We have a vendor risk management ROI calculator if you’re interested in how much time and money is saved when you use SecurityStudio versus manual processes.
Training. The people who will be involved with vendor risk management are going to require some training. SecurityStudio is simple to use, but it’s still good to do some brief training anyway.
Procedures. Step-by-step guidance will ensure that the same thing is done every time. This gives us the ability to tweak things and make things more efficient.
Budget. Everything costs money nowadays, hard and soft dollars.
That does it for the how. Now combine the high-level how information into your strategy, and give everything a sanity check. Does everything fit, or do you need to adjust? I’ve gone through this same exercise with large companies, and it’s not uncommon to revisit all, or part of the strategy many times before you nail it.
Information security programs are around to protect the data of the businesses they are a part of. Understanding risk is an important part of that, but ultimately it’s the business’s job to make decisions on what types of risks they are willing to accept. It’s the information security program’s job to make informed recommendations about those risks. Sometimes, though, those recommendations are ignored.
While it’s important to make decisions that are best for the business, deviating from security recommendations can pose challenges. It’s important that you maintain a simple, standardized, and defensible information security program (and vendor risk management specifically). Certain business decisions detract from that.
Simplify
We fully understand that a business’s first goal is to make money. That’s why businesses exist. Security programs are meant to create efficiencies that align with your business objectives to be a driving force for profit— not the other way around. However, if you chose to make decisions independent of our security teams’ recommendations, you can actually do the opposite.
Information security programs (and their vendor risk management initiatives in particular) can have a monumental impact on the efficiencies of an organization— especially as it pertains to employee time.
People in information security programs are often required to chase down vendors. You need to have an inventory of all of our vendors so that we know who poses threats to you. In order to do that, your security team will start at accounts payable, get a list of the current vendors your business works on, and then spend ludicrous amounts of time trying to understand the level of risk that vendor poses.
Because your information security professionals have a limited understanding of what each vendor does, they have to get an idea from the person who works with them most closely how their interactions may pose security threats. You now have two employees taking up their time to get this information figured out.
Once this is finally determined, the information security employee is going to send out a questionnaire or spreadsheet to the vendor in hopes that the person on the other end is the right contact, that they’ll fill it out correctly, and that they won’t have to be chased down every three weeks to see if it’s been completed yet.
Do you see how time-consuming this can be?
A vendor risk management tool automates many of these processes. It eliminates the chasing, the back-and-forth, and the manual entry your information security employees would otherwise go through. Because of this, their time can instead be used on the things that will make the most positive impact on your bottom line. The same is true with the non-security employees that have to assist.
You may decide that you don’t want to spend the money on an automated solution to help you smooth down these processes. Doing these things without systems, though, creates unnecessary complexities— and complexity is the enemy of security and business.
Standardize
Standards are crucial when it comes to information security. There are rules, guidelines, principles, and best practices that should help feed your information security decision-making.
Information Security Industry Standards
Certain industries have requirements and regulations they are asked to follow with regards to information security. If your organization fits their threshold, you likely have no choice but to comply. While these standards don’t necessarily provide the perfect example of what security is, they do provide good foundational rules to follow. Deviating from the rules of industry standards can have two effects.
This is actually an example of where deviating from rules and standards can be a good thing. As mentioned before, security standards often provide a good foundational base for your security programs, but they are often just that— a minimum requirement that helps you get started. Businesses can (and should) deviate from industry standards by adding to them. Adding measures on top of what the industry standards suggest you accomplish in your security program is an important step in bolstering your protections.
The opposite side of that coin is choosing to skip or ignore standards that are required by your industry regulations. Doing this can severely damage your business. Payment card industry (PCI) compliance is a good example of this. Many small businesses choose not to go through the steps of being PCI compliant because of the time, effort, and money that goes into complying. However, a breach that impacts your customers’ credit card information often creates irreprehensible financial and reputational losses that could end up forcing you to close your doors permanently.
When it comes to vendor risk management, the same concern applies. You can choose to deviate from acceptable industry norms, here too. Some organizations choose to change up the assessment questions that they ask their vendors to complete regarding their risk. Doing so may push you outside the compliance threshold within your industry standards and it also requires someone to justify the changes. Justification relies on subjectivity, rather than objectivity, and makes it significantly more challenging to explain if you needed to defend your decision.
Internal Standards
Standards are one way to get everyone within your business on the same page about things like acceptable risk levels, information security spending, incident response measures, and more. Implementing a set of policies and procedures that are standard across your organization, and across organizations similar to yours, ensures that you’re taking the appropriate measures to mitigate risks and protect your business.
Deviating from your internal standards proves that they aren’t the right standards. If you feel that you need to make decisions that go against the standards of your organization, they clearly aren’t working for your business. And you won’t be able to expect others to follow them if you aren’t either.
Your risk increases as you deviate from standards too. Take the S2SCORE for example. You can use risk assessment metrics like S2SCORE to set a risk threshold you want your organization and vendors to uphold. You might make a decision that everyone needs to be above a 650 in order to continue working with them. Sometimes, though, the business might feel the need to make a decision outside the standards set in place. You may work with an organization whose business is critical to the success of yours. Therefore, you may want to accept them as a vendor despite their S2SCORE being 550 instead. While it’s important you make these kinds of decisions if you feel they’re critical to the business, it’s also important to understand that this increases the likelihood your data is compromised.
Defend
Ultimately, creating standards and sticking to them is all about making your organization more defensible in the event that something does go awry and your data is compromised. Breaches do happen. Often. It’s impossible to prevent all breaches.
Deviating from standards makes your business less defensible when a breach happens.
If your business feels they need to make exceptions to rules for its benefit, that’s fine. If you make a system standard, you just have to defend the standard. Make sure you’re taking a logical and objective approach to all of your exceptions before implementing them. This will help you stay defensible (and help you ensure that your decisions aren’t going to have a negative impact on your security).
If you make decisions that deviate from standards, customize systems too much, etc., it becomes increasingly more difficult to explain your case to those who are asking. Unfortunately, a breach’s impact stretches beyond your boardroom. Customers, news outlets, lawyers, and more will be asking questions about how and why things happened the way they did— and what you plan to do about it.
Particularly on the legal side and the industry regulator side of this, you’re going to have to explain why this incident happened. If you make exceptions to rules, you have to defend the logic behind the exception. Why you didn’t go with your standard? This is important to think about as we consider making decisions that extend beyond the scope of industry and internal standards that have already been implemented.
Conclusion
While it’s important for businesses to take information security recommendations seriously, it’s also important to remember that information security programs are around to supplement the business’s objectives. For that reason, businesses should be allowed to make decisions outside the scope of industry and internal security regulations. If they do though, there can and will be consequences. Weighing those consequences can be challenging, and it can be difficult to defend the logic behind any deviations. At the end of the day, make if you’re going to make decisions outside the recommendations of information security standards, ensure they still help your business simplify, standardize, and defend.
https://securitystudio.com/wp-content/uploads/2019/07/SecStu_Banner_InfoSecurityRecomm_1200x628.jpg6281200SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2018-11-02 14:21:202021-09-01 21:43:52Deviating from Information Security Recommendations
We are committed to providing free resources to help keep you, your business or organization, safe. We protect your information and never give it out to vendors.
Please also follow us on Linkedin to catch our latest updates. If you found this information helpful, please share with your community.
