Konrad Fellmann: Trust Is Not Enough. You Have to Verify

• Vendor questionnaires about security practices should require written explanations of security
  practices so that you can make judgements about whether the people responding to those
  questions actually know what they are talking about.
• Third-party security assessments are essential for verifying that a vendor is actually doing what it says it’s doing about its security practice.

“I don’t trust anybody. You have to verify. This is where I like to take advantage of third-party audits: They tell me somebody else actually looked at this and verified it.”

As chief information security officer at Cubic, Konrad Fellmann is responsible for ensuring that the company has a proper vetting process in place that validates the ability of vendors and suppliers to operate in accordance with Cubic’s security requirements. This vetting includes an assessment at the time vendors are initially engaged, and it continues with periodic reassessments and continuous monitoring of key vendors.

Cubic’s process begins with a questionnaire based on standards the company has established for what it expects to see in its suppliers. “We implemented a vendor assessment solution that sends out questionnaires to the right points of contact,” Fellmann explains. “It gathers data about what the suppliers are doing for us. Then, we can categorize the vendors and ask further questions in a dynamic assessment of their security practices.” For example, if the vendor is a software as a service provider or a service provider that may have access to data, part of the evaluation may include seeing a Service Organization Control (SOC) report or some type of third-party audit that shows that the vendor has good security practices in place. Or, if the vendor will handle credit card data in one of Cubic’s commercial programs, we’ll look for a Payment Card Industry Data Security Standard audit report attesting to compliance. If a vendor will provide code development, Cubic provides it with security requirements for creating secure code, and then verifies that the vendor is in compliance by looking at its practices for evidence that it has a sound program in place.

This is an excerpt from 7 Experts on Evaluating and Managing Supply Chain Risk.  This eBook was generously sponsored by BlueVoyant.