Don’t Get Spooked by a Third-Party Vendor

5 Critical Security Topics to Address with a Potential Vendor

Using a third-party vendor can offer significant advantages for organizations looking to streamline operations and access specialized expertise. Vendors, such as the National Student Clearinghouse, can bring deep industry knowledge and advanced tools. The Clearinghouse, for example, houses a variety of products and services for education and the workforce as well as accessible subject experts. By offering these resources, we help organizations focus on their core competencies.

Security Topics to Address with a Potential Vendor

Working with a third-party vendor is a strategic decision that significantly impacts your organization’s data security. With increasing threats and regulatory scrutiny, you can never be too careful in the search process. Conducting a thorough vendor security assessment is essential.

There are five areas to address before signing a contract that will help you manage third-party risk and protect sensitive information.

1. Ask About the Vendor’s Risk Management Strategy

It is crucial that you consider the vendor’s cybersecurity practices before entering a partnership. Ask questions that will help you understand its risk management strategy and reveal how seriously it takes data protection. Strong questions include:

• Do you have a formal, authorized security program?
• How do you prevent unauthorized access?
• Do you use multifactor authentication (MFA), or have you moved to passwordless?
• Is your program validated through independent audits, like SOC2 or PCI?

2. Understand the Connection and Access to Your Data

In some cases, the vendor may need to connect to your systems and access your data. Learn how this works by considering questions like:

• Is the solution cloud-based, on premise, or hybrid?
• Will they need to modify or extract data?
• Does the partnership contract define their responsibilities if there are any issues?

Understanding the vendor’s access to your data is vital for you to maintain control and accountability.

3. Review Independent Security Audits

It is a good idea to validate any audits. You should request recent security audits and certifications like:

• SOC2 Type 2 reports for comprehensive control reviews
• PCI compliance (for vendors handling payment data)
• Results from penetration testing and vulnerability assessments

These documents can help you evaluate if a vendor meets industry standards and is prepared to counter threats.

4. Examine External Vulnerability Scans

External scans can offer insight into a vendor’s perimeter security. It is a key step in any vendor cybersecurity evaluation. You can use open source or paid “external attack surface” scanning tools, like SSL Labs, BitSight, Security Scorecard, Upguard and many others, to assess the vendor’s public-facing systems. Look for “A” and “B” grades. Note any lower grades since these can indicate broader issues.

If a vendor scores poorly, it could reflect weaknesses in their overall security posture.

5. Insist on Strong Contract Language

Contracts with third-party vendors should include cybersecurity clauses that reflect your expectations and regulatory obligations. This protects your organization and also transfers some security risk to the vendor, demonstrating your due diligence. These clauses may include:

• Definitions of patch response times and incident response planning
• References to best practices, such as NIST or ISO standards
• Disclosure of data-sharing practices

Explore Other Cybersecurity Practices

Taking the time to ask the right questions and review key documentation can help your organization secure strong and safe vendor partnerships. Plus, by proactively addressing these critical topics, you demonstrate your commitment to cybersecurity excellence. Protecting your organization does not start or stop there, though. Cybersecurity is vast, and there are many best practices to keep you safe.

If you work or are interested in higher education, dive deeper into these best practices with our panel of cybersecurity experts in an upcoming webinar. They’ll discuss effective training strategies focused on the four core areas of cyber readiness, steps staff can take to reduce risk in their daily work, and how institutional leadership can foster a culture of cybersecurity awareness.

Register now for “The Cyber Ready Campus: Empowering Higher Ed Staff for Digital Defense” on November 3rd.