Page 176 - Cyber Defense eMagazine April 2023
P. 176

monitoring and reporting obligations. Include these requirements in all vendor contracts and agreements
            and conduct regular audits to ensure compliance.

            The security requirements should specify the type of data the third-party vendor will have access to and
            outline the measures that the vendor should take to safeguard the data. If the third-party vendor handles
            personal data or sensitive information, the security requirements should also cover privacy requirements.
            These  requirements  might  include compliance with  relevant data protection  laws,  such  as  GDPR or
            CCPA, and implementing appropriate privacy controls to protect sensitive information.

            Also, specify the procedures that the third-party vendor needs to follow on the occasion of a security
            breach. This includes notification protocols, mitigation measures, and steps to contain and resolve the
            incident. Your contract document should also outline the monitoring and reporting obligations that the
            third-party vendor must follow. These might include regular security audits, reporting security incidents
            or breaches, and regular communication with the business regarding the vendor's security practices.



            Keep yourself up to date on your vendors list

            Organizations often lose track of the services they use and the data the vendors have access to. It can
            be disastrous for your third-party cyber security risk management strategy.

            Maintain an accurate vendor list and regularly review their access to data to limit the exposure of sensitive
            data to only those who need it. It will reduce the risk of data breaches or leaks and limit unauthorized
            access or misuse of sensitive data.

            Moreover, you will have more control over your system when you have clear knowledge about your
            vendors and their access to data. For example, if a third-party vendor has access to highly sensitive data,
            you can implement additional security controls or ask the vendor to deploy a more stringent security
            protocol for that particular set of data.

            An updated vendor list will also help you respond quickly if a security incident occurs. When you know
            who all have access to the data, you can immediately identify the relevant vendor and take appropriate
            measures.




            Implement continuous monitoring and limit access

            Continuous network monitoring is critical for identifying and addressing potential cybersecurity risks in
            real time. Continuously monitor your network traffic to spot any irregularities. It  will help you quickly
            recover if an incident of cyber-attack through a third-party system occurs.

            Your team should also continuously monitor the vendors for security risks. The monitoring should include
            regular security audits, penetration testing, vulnerability scanning, and ongoing risk assessment. It will
            help you evaluate the effectiveness of third-party vendors' security practices and detect any vulnerabilities
            and weaknesses in their systems and applications. You can consider hiring third-party auditors to use
            their expertise.




                                                                                                             176
   171   172   173   174   175   176   177   178   179   180   181