I just completed a whirlwind, virtual tour of New York bar associations (and boy are my arms tired… ) to teach CLEs regarding New York’s new SHIELD. (Thanks to the New York State Bar Association, the Broome County Bar Association, the Tompkins County Bar Association and the Onondaga County Bar Association!) One of the issues that comes up in these presentations is the topic of vendor management.
It’s not an easy issue, and here’s why… If you are a billion-dollar company, chances are you have enough leverage to have an arms-length negotiation with many of your vendors. You can explicitly require that they take certain steps to protect you both. Failure to comply is breach of contract, and is actionable. But the SHIELD Act is unique among state cybersecurity laws in that it requires businesses of all sizes to take proactive steps towards assuring “reasonable safeguards” of personal information. For contrast, in California, these proactive security requirements only apply to company who are taking in at least $25 million in annual revenue (or who are in the business of trading big data).
Meaning, if you are doing business in NY and you’ve got a five or six-figure annual revenue, you are in the uncomfortable position of having to vet your vendors to ensure the data you are sending them is being secured, while having no leverage to force most vendors to do so. An example of the type of vendor you might be using where this issue arises would be a credit card processor, who most certainly has your customers’ personal information. For an illustration of this problem, try calling up Google and tell them that you would like to negotiate the terms of your user agreement for gmail. Good luck.
There are a couple of approaches we can envision to address this issue. First, we can realize that these SHIELD Act requirements are for you to take “reasonable” safeguards. Small businesses are not required to take heroic measures to safeguard their information. We should not be bankrupting ourselves to accomplish data security. Second, we can dive into the vendor management process a little and identify areas where perhaps a small business can maneuver. Enter, the vendor questionnaire. Obviously, to fully execute on a program like this, you might want to retain an attorney who knows about this stuff.
The Vendor Questionnaire
The Vendor Questionnaire is rapidly becoming one of the primary means by which we can perform due diligence on our vendors. There are pluses and minuses. The more involved your vetting process, the more costly it becomes to retain vendors. Further, you are relying on their word. Be sure to follow up when you can. Ask for proof. Ask for referrals.
Not everyone is going to be willing to complete such a questionnaire, but the good news is that questionnaires have gained in popularity to an extent that they are becoming standardized. If questionnaires are standardized, there is a good chance that even larger potential vendors may be willing to share them with small firms.
For a review of standardized questions (which have the added benefit of being more cost-effective for small businesses), take a look at the CIS Top 20. This is a great starting point for the types of questions you should be asking of potential vendors. You can also look at NIST, SIG, and VSA. Some of these organizations even offer free questionnaires that you can use yourself. Of course, if you aren’t in a position to evaluate the answers, they may be difficult to use, but with more vendors addressing the same questionnaires, it is becoming easier for small businesses to get answers. You may still need someone to review the responses.
Here are some basic questions that you can ask, which will at least give you a starting point to evaluate. Remember to document the answers, which will be an important part of your compliance documentation generally:
Information security and privacy questions
- Does your organization process personally identifiable information (PII) or protected health information (PHI)?
- Does your organization have a security program?
- What standards and guidelines does it follow?
- Does your information security and privacy program cover all operations, services and systems that process sensitive data?
- Who is responsible for managing your information security and privacy program?
- What controls do you employ as part of your information security and privacy program?
Physical and data center security questions
- Are you in a shared office?
- Do you review physical and environmental risks?
- Do you have procedures in place for business continuity in the event your office is inaccessible?
- Do you have a written policy for physical security requirements for your office?
- Is your network equipment physically secured?
- What data center providers do you use if any?
- How many data centers store sensitive data?
- What countries are your data centers located in?
Web application security questions
- Do you have a bug bounty program or other way to report vulnerabilities?
- Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?
- Does your application require login credentials?
- How do users get their initial password?
- Do you have minimum password security standards?
- How do you store passwords?
- Do you offer single sign-on (SSO)?
- How can users recover their credentials?
- Does your application employ a defense in depth strategy? If so, what?
- How you regularly scan for known vulnerabilities?
- How do you do quality assurance?
- Do you employ pentesting?
- Who can we contact for more information related to your web application security?
Infrastructure security questions
- Do you have a written network security policy?
- Do you use a VPN?
- Do you employ server hardening?
- How do you keep your server operating systems patched?
- Do you log security events?
- What operating systems are used on your servers?
- Do you backup your data?
- How do you store backups?
- Do you test backups?
- Who manages your email infrastructure?
- How do they prevent email spoofing?
- How do you protect employee devices from ransomware and other types of malware?
- What operating systems do employee devices use?
- Are employee devices encrypted?
- Do you employ a third-party to test your infrastructure security?
- Who can we contact in relation to infrastructure security?
Another vendor management guidepost to use is a security rating or certification. Especially if you are using a very large vendor, security ratings should be easily monitored and will provide a very basic reassurance that you are acting “reasonably”. There are a number of popular ratings companies, and there seems to be a battle for dominance in that field as of late. Here is one. SOC2 certification is also a good starting point when evaluating the security of a potential vendor.
In a later post, I will discuss more about security ratings, SOC2 and other certifications, as well as third-party monitoring and audits. Stay safe out there…