Compliance with 3rd party security policies

Compliance with 3rd party security policies is a common issue for SMB companies.  However, even small and medium-sized companies can perform well during a third-party security assessment. The biggest factor is begin prepared.  Because so many firms are outsourcing services to third-party service providers, oversight of them is a growing concern.

Scrutiny of third-party compliance is growing

The protection of information technology (IT) assets is necessary to establish and maintain trust between companies and their business partners. There are state, Federal, and international privacy laws regulating the handling of consumer data. Common categories include personally identifiable information (PH) and personal health information (PHI). In addition, there is more regulatory pressure as well. For example, both the Financial Industry Regulatory Authority (FINRA) and the US Federal Financial Institutions Examination Council (FFIEC) have requirements that companies assess their vendors’ controls.

The risk of security non-compliance is significant

There is good reason for the regulatory oversight. Nearly 60 percent of respondents a recent survey experienced a data breach caused by a third party or vendor. Another cybersecurity study found that less than 30 percent of small companies rate their ability to mitigate threats, vulnerabilities, and attacks as highly effective. These gaps in compliance can be devastating when small and medium (SMB) companies face a security assessment from their clients.

Resources to ensure security compliance

There are many resources available to assist with preparing for a third-party security assessment. This article highlights a few key areas that are commonly focused on and how to manage them.

Physical and environmental safeguards

Exposure of assets can occur through physical access and damage or destruction to physical components. Specifically, they include limited or non-existent physical controls and building layout, geographic location of the facilities, and power infrastructure. Areas analyzed typically include perimeter safeguards, interior/exterior building security controls, primary and alternate power architecture, and server room security controls and conditions. In addition, there is scrutiny of environmental controls such as climate control and fire detection and suppression, and threat sources and mitigations, both natural and environmental.

Governance organization

Governance includes documented policies, standards, procedures, and affiliated support documentation. It also includes audit and risk management functions to ensure there is proper internal oversight of the IT organization. The purpose is to ensure the vendor has an effective program to address privacy and security objectives.  In addition, companies want to gain insight into the maturity of the program and understand the level of expertise and seriousness with which the vendor approaches their security and privacy responsibilities. Typically, ISO27001 certification and SOC II Type 2 audits are good benchmarks for success.

Logical security infrastructure

Vendors should have mechanisms in place for protecting electronic data at rest and in transit. This includes network monitoring, system hardening, formalized system changes, and data storage that is commensurate with the organization’s policies and procedures. Specific examples include patching processes, change control processes, perimeter and system security monitoring and escalation, data backup and recovery process, data loss prevention, and portable device management and security.

Security and privacy education program

As privacy legislation continues to emerge, disseminating the regulatory, privacy, and security obligations to the organization becomes increasingly more important. The awareness and privacy program controls focus on the vendor’s ability to formalize and implement a program to educate the employees on their responsibilities.

Many companies will implement bare-bones awareness programs to meet either audit or regulatory compliance. However, the programs may be ineffective. Employees are the weakest link the cybersecurity defense chain. Both PCI and the SANS Institute have documented standards for the program as a guide for building robust programs.

Utilizing a Managed Service Provider for 3rd party security compliance

As noted, some solutions are best handled by outsourcing for several reasons:

Resource availability

The labor market is tight for qualified cybersecurity developers. Outsourcing can alleviate the headache of recruiting, hiring, and training them. Oversight of the vendor that is monitoring and maintaining the logical infrastructure is crucial. Things to consider are non-disclosure and service level agreements as well as having another outside auditing company periodically review the outsourced company’s work as another level of control.


Cybersecurity tools and talent can be expensive. For example, smaller organizations that have the data center integrated into the main office commonly do not have proper security structure in place. For example, guards, badges, and monitoring are very useful. This is a good area where it makes sense to outsource this function to a cloud security provider.

What’s next? Let’s get started, it’s free………

Outsourcing to third parties has been growing for many years, and the trend does not seem to be slowing down. For example, Gartner recently forecasted a nearly 20 percent growth rate in public cloud computing worldwide in 2019. Utilization of Infrastructure-as-a-Service or (IaaS) is expected to grow nearly 30 percent on its own.  If your organization is not designed to manage a sophisticated information technology infrastructure, then building one internally may not make good business sense.

Do you have questions that you need answered? Do you need help implement these strategies in your own business? Please feel free to contact us today and we can give you a free assessment of your company’s IT needs.