Being compromised is never really bad, until it happens to you!

Identify the definitive list of your vendors and then determine to whom your vendors subcontract. i.e. the complete list of vendors who have access to your data? (this may not be apparent to you as many vendor’s subcontract, and do not explicitly share this information and only provide it upon request. Of course, you must know to ask this of them!)

Now that you have your comprehensive list, you will need to review the following criteria against each vendor.

ACCESS regardless of where the data resides (on site, with the vendor or both):

Determine what level of access each vendor has been granted (Assign the minimum levels of access required for the work vendor needs to perform)

Data is rarely maintained in just the systems that run the application/data

      • Reports or query’s are run pulling information against/from your data. Vendor needs to provide a list of all users that may be performing these functions
      • Require written permission form the vendor to use your data anywhere other than production needs
      • A vendor’s internal systems that connect, process and/or analyze your data
        • Need to ensure they have proper updating and patching policies to ensure security vulnerabilities are kept to a reasonable minimum

A vendor with a compromised system puts your data and your business at risk

POLICIES your vendors must include in working with your data:


      • Documentation on how your data is shared with the vendor(s)
      • Restricting the communication path between the systems to be only what is required for the task
      • Ensuring/requiring that your data communication path (regardless of private or public path) is encrypted (i.e. Secure web access, VPN, or both) and data is encrypted “at rest”
      • Ensuring your information is segregated from data of all other company’s
      • Provisions for returning/exporting/archiving/destroying the data (as appropriate) upon conclusion or termination of a contract


      • Ensuring/require that the client/user uses your encrypted data communication path is encrypted
      • Having methods/system in-place that verify the identity of the remote user/device
      • Multiple layers like some central directory and MFA (Multi-Factor Authentication) tools be utilized
      • Understanding what the users can do with the data (view, copy, save) and if that data can be stored locally on their device

TESTING – Conduct regular penetration tests bi-annually or annually

      • To determine the efficacy of the system security you must test the effectiveness of the security measures:
        • With regularly scheduled security testing it’s recommended to alternate with two security testing vendors, thereby varying the tools, and potential findings and recommendations
        • After each test result is reviewed ensure there is a remediation plan executed (in a timely manner). A post test is typically run as part of the engagement to ensure desired changes have been achieved.

Look to do business with IT vendors who have released for your review current applicable security standards reports or have IT security certifications (NIST or ISO)  or

Be very cautious of vendors who contend that their larger enterprise security program is none of your concern. That very argument demonstrates a lack of understanding, or an unwillingness to understand the cyber threat landscape

As Geoff Belnap, CISO of Slack put it, “if your business makes money by collecting, hosting or processing data from others, you’re a security company. Act like it”