top of page
Search

Vendor Risk Assessment checklist for Outsourcing IT Services

Writer's picture: AdminAdmin

For any organization considering outsourcing Software development, support or IT services it is important to include a security risk assessment as part of the evaluation process


In an era where technological innovation is central to business success, organizations are increasingly looking towards outsourcing their IT and Software development needs to harness specialized skills and cutting-edge solutions. While this strategy offers significant benefits in terms of cost-efficiency, agility, and access to global expertise, it also introduces a myriad of risks, particularly related to security.


A Vendor Risk Assessment is a critical tool for evaluating and mitigating these risks, ensuring that the chosen vendor's security policies, practices, and compliance standards align with the organization's requirements and expectations. From safeguarding sensitive data to complying with legal and regulatory mandates, a robust assessment encompasses various aspects of the vendor's operational landscape.


The importance of conducting a comprehensive Vendor Risk Assessment cannot be overstated. It not only protects the organization's valuable assets but also strengthens the trust and collaboration between the parties involved, leading to a more successful and secure outsourcing partnership.


The following checklist offers an extensive examination of the critical areas to be evaluated as part of this risk assessment, guiding organizations in their pursuit of a secure, competent, and dependable outsourcing vendor. Whether you are entering into a new partnership or re-evaluating an existing one, this assessment will serve as an indispensable resource for safeguarding your organization's interests and sustaining a resilient business relationship.


In addition to the evaluation process that is generally adopted to know the capabilities, skills of the core technical, functional and management areas, it is important for organizations to evaluate the security landscape of vendor organization.


While Security is a vast topic, we have tried to include as many points as we can to give you some starting point to come up with the initial vendor risk assessment checklist.


The checklist has only questions and some will have to be answered in detail and with expected attachments as applicable.


Complete checklist of Vendor Security Risk Assessment for Software development and IT services outsourcing


Security Function:

  • Is security a separate function in your organization?

Budget:

  • What percentage of your total infrastructure budget is allocated to security?

Organization:

  • Does your organization have an information security infrastructure and organization?

  • Is this headed by someone like Director (Security) or CISO?

Documentation:

  • Is there technical security configuration documentation for the technologies or major business applications in your organization?

  • Are the hardware that are in place use any hardening guidelines?

Golden Images:

  • Do you have Golden images in use when installing or spinning up new machines?

Open Source Software:

  • What is the policy of usage of Open Source Software in your development stack?

Information Security Policies:

  • Does your organization have information security policies?

  • Do you maintain an information security management system (ISMS)?

Physical Security:

  • Does your organization have physical security controls in place?

Patch Management:

  • Does your organization enforce a patch management process?

Virus Protection:

  • Does your organization have a virus protection program in place?

Internet/DMZ:

  • Are systems in your Internet/DMZ environment secured?

Internal Systems:

  • Are internal systems secured?

Industry Standard Certifications:

  • Is your organization certified for any industry standard certifications? (ISO, PCI, SSAE, SOX, etc.)

Roles and Training:

  • Do you have a Cyber Security Engineer role in your organization?

  • Do new employees undergo Security induction training? Is this mandated?

  • Do existing employees go through any annual refresher course in Security policies?

  • Do you plan workshops for senior management for security awareness?

Security Simulation Tests:

  • Have you ever run security simulation tests as part of the awareness program (phishing, emails, etc.)?

Separate Environments:

  • Do you have separate Dev, QA, and Staging environments?

VDI and Cloud:

  • Do you have employees using VDI solutions? Are these on the cloud?

  • Do you have any presence of Cloud, and for what internal purposes do you use it for?

  • Are the defined security guidelines applicable for this infrastructure on cloud?

Security in Development:

  • Is security considered while designing applications?

  • Do you have a Security architect role defined in your resource planning for a project?

  • Do developers understand the principles of OWASP top 10?

  • Do you have a secure coding guideline? Secure code review checklist?

  • Do you have a security training program for developers and testers on secure application development?

Testing:

  • Do critical systems receive full security testing before deployment?

  • Does your organization have a program in place to periodically test security controls?

  • Internal Audit

  • External Audit

  • Penetration Testing

  • Vulnerability Assessment

System Logs:

  • Do you maintain system logs?

  • Where are they stored? Who has write access to this?

  • For how long are these archived?

  • Are system logs reviewed for security related events?

  • Is there a SOC (security operations center)?

Third Parties:

  • Does your organization enforce security standards for third parties that connect to your network?

  • Do third party contracts include security provisions? Are these reviewed periodically?

  • Does your organization outsource any portion of your information security? Maintenance or roll out of any new system or device?

Backup and Restore:

  • Does your organization have backup and restore procedures in place?

  • Where are the backups stored? Who has access to these?

Business Continuity:

  • Does your organization have a Business Continuity Plan (BCP)?

  • Are these tested frequently?

Funding and Insurance:

  • Security breaches cause unexpected financial losses. Has your organization planned for the funding of such expenses?

  • Does your organization have any insurance coverage for security incidents or breaches?

  • Does your organization require all vendors to maintain liability insurance?

Background Verification and Physical Security:

  • Do you conduct employment background verification checks?

  • Is your data center access restricted to authorized users only?

  • Are all the access control lists reviewed periodically?

  • Are the entry and exit points to all the facilities guarded 24x7? And is restricted for entry to authorized users only?

  • Do you have physical security controls for monitoring facilities? Like CCTV? For how long are the logs stored?

DevSecOps:

  • Do you have DevSecOps practice that is being used as a service offering for your customers?

Conclusion

This checklist serves as an initial starting point for evaluating the security landscape of a vendor organization. Depending on the specific nature of the services being outsourced and the industry regulations, additional questions and considerations may be required. Implementing this comprehensive risk assessment can provide valuable insights into the vendor's capabilities and alignment with your organization's security requirements, contributing to a robust and secure outsourcing relationship.


References

Here are some references you may consult for further understanding of vendor risk assessment in the context of outsourcing IT services. These sources include industry standards, best practices, and authoritative insights.

  1. ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements.

  2. NIST Special Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations.

  3. ISACA - Control Objectives for Information and Related Technology (COBIT).

  4. Shared Assessments - Standardized Information Gathering (SIG) Questionnaire.

  5. European Union Agency for Cybersecurity (ENISA) - Guidelines for SMEs on the security of personal data processing.

  6. American Institute of CPAs (AICPA) - Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

  7. Forrester Research - “Vendor Landscape: Vendor Risk Management, Q1 2017.”

  8. Gartner, Inc. - “Market Guide for Vendor Risk Management Platforms.”

  9. The Federal Financial Institutions Examination Council (FFIEC) - Outsourcing Technology Services booklet.

  10. Information Systems Audit and Control Association (ISACA) - Risk IT Framework.

  11. The Institute of Risk Management - Extended Enterprise: Managing Risk in Complex 21st Century Organisations.

  12. Centre for the Protection of National Infrastructure (CPNI) - Principles of Cyber Security Procurement.

  13. Ponemon Institute - Cost of Third-Party Cyber Risk Management Study.

  14. TechTarget - Essential Guide to Vendor Risk Management.

  15. Cloud Security Alliance (CSA) - Consensus Assessments Initiative Questionnaire (CAIQ).

Please note that access to some of these materials may require a subscription or purchase. It's advisable to consult these texts directly to understand how they specifically pertain to the topic of vendor risk assessment for outsourcing IT services.


bottom of page