The Single Question Vendor Risk Assessment

If you had only one question to ask a vendor in order to assess their information security posture, what would it be?

In other words, what is the single most important indicator of a successful information security program — job one, if you will?

Do you have an intrusion detection system?

Do you conduct regular penetration tests?

Something related to human resources?

Something about a sufficient password policy?

For my money, the one question would be simple:

Are your systems patched and up to date?

Just look at the breach reports. The number of breaches that can be attributed to unpatched systems is alarming. We are not talking about sophisticated zero day exploits here either. These are exploits that have been patched months, or in many cases, years ago.

Yes, keeping systems up to date requires resources. If a vendor is unable or unwilling to expend those resources, then you should be looking for a better alternative. A partner that is unwilling or unable to do the basic blocking and tackling needed to keep my information safe needs to be flagged as a tremendous risk.

Maybe we don’t care about our paper towel supplier very much, I’ll give you that. But if we are taking about systems that handle payroll, customer information or any other sensitive data, failure to maintain them is unacceptable.

It is now the year 2018. We live in a world where DevOps has moved from being a new technology trend into mainstream — IT is expected to be agile. If an organization can’t update a system because it needs to run on NT 4.0, there are no developers left to maintain it, and management is unwilling to invest in updating the system, then shame on them for being willing to accept money to keep the system running, but unwilling to do what is necessary to keep the system secure.

On the other hand, we need to take some responsibility. If we know a vendor is being negligent about protecting the systems with our sensitive data on them, then we need to find an alternative. Yes, rip and replace projects are painful and expensive, but if we knowingly continue to do business with a negligent vendor, doesn’t that make us negligent too?

How do we know if our vendors are doing the right things? The first thing you need to do is ask.

If you only had one question to ask, I would suggest: “Are your systems patched and up to date?”

How about you? If you only had a single question to assess your vendors, what would it be?

To see how ProcessBolt can help your vendor risk management program, visit us at https://processbolt.com to sign up for a free trial.