WOLF//SEC
← Domain 5
OBJECTIVE 5.3 Explain

Explain the processes associated with third-party risk assessment and management

Your security is only as strong as your weakest vendor. Third-party risk management ensures that external relationships don’t create unmanaged attack surface.

Vendor Assessment

Due Diligence

Investigating a vendor’s security posture before entering a relationship.

  • Review their security certifications (SOC 2, ISO 27001)
  • Request penetration test results or vulnerability scan summaries
  • Evaluate their incident response history and disclosure practices
  • Assess their financial stability (a vendor going bankrupt is a business continuity risk)

Vendor Questionnaires

Standardized sets of security questions sent to potential vendors.

  • SIG (Standardized Information Gathering) questionnaire is a common framework
  • Cover: access controls, encryption, incident response, data handling, compliance, subcontractors
  • Limitation: Self-reported — trust but verify through audits and evidence requests

Right to Audit

Contractual provision allowing you to audit the vendor’s security controls.

  • May include on-site assessments, evidence review, or third-party audit results
  • Critical for high-risk vendors handling sensitive data

Evidence of Security

  • SOC 2 Type II: Independent audit of security controls over time (6-12 months). Most commonly requested.
  • SOC 2 Type I: Point-in-time assessment. Less valuable than Type II.
  • ISO 27001 certification: Demonstrates an Information Security Management System
  • Penetration test reports: Evidence of proactive security testing
  • Compliance certificates: PCI-DSS, HIPAA attestation, FedRAMP authorization

Agreements

Service Level Agreement (SLA)

Defines measurable performance expectations.

  • Uptime guarantees (99.9%, 99.99%)
  • Response times for incidents and support
  • Penalties for non-compliance
  • Security-relevant SLAs: Patch deployment timeframes, incident notification deadlines, backup/recovery metrics

Memorandum of Understanding (MOU)

Less formal than a contract. Documents mutual intent and expectations between organizations.

  • Common between government agencies or partner organizations
  • May or may not be legally binding depending on language

Memorandum of Agreement (MOA)

More specific than an MOU. Documents agreed-upon terms and responsibilities.

  • Typically includes specific deliverables and timelines
  • More formal than MOU, less comprehensive than a full contract

Master Service Agreement (MSA)

Overarching contract governing the overall relationship between organizations.

  • Covers general terms, liability, dispute resolution
  • Individual projects/services operate under the MSA with specific statements of work (SOW)

Non-Disclosure Agreement (NDA)

Legal agreement preventing disclosure of confidential information.

  • Mutual NDA: both parties agree not to disclose
  • One-way NDA: one party discloses, the other agrees to protect
  • Must be in place before sharing sensitive information during vendor evaluation

Business Partners Agreement (BPA)

Defines the relationship between business partners including responsibilities, profit sharing, and liability.

Data Processing Agreement (DPA)

Required under GDPR when a data controller engages a data processor.

  • Defines what data is processed, how, and under what protections
  • Specifies data subject rights handling, breach notification requirements

Supply Chain Risk

Vendor Dependency

Reliance on a vendor for critical services creates business continuity risk.

  • What happens if the vendor has an outage, breach, or goes out of business?
  • Mitigation: Multi-vendor strategies, contractual protections, exit planning

Fourth-Party Risk

Your vendor’s vendors. Their breach is your breach if they handle your data.

  • SolarWinds attack: customers trusted SolarWinds, but the breach came through SolarWinds’ build process
  • Require vendors to disclose and manage their own third-party relationships

Hardware Supply Chain

  • Tampered hardware components (documented cases of firmware implants)
  • Counterfeit components that may fail or contain backdoors
  • Mitigation: Trusted suppliers, hardware integrity verification, chain of custody documentation

Software Supply Chain

  • Compromised open-source dependencies (npm, PyPI malicious packages)
  • Compromised update mechanisms (SolarWinds, Codecov, Kaseya)
  • Mitigation: Software composition analysis (SCA), vendor security assessment, code signing verification

Ongoing Monitoring

Vendor assessment isn’t one-and-done. Continuous monitoring includes:

  • Regular reassessment (annual at minimum, more frequent for critical vendors)
  • Monitoring vendor security posture changes (breach notifications, security rating services)
  • Reviewing SLA compliance
  • Tracking vendor access to your systems and data
  • Offboarding procedures when relationships end (revoke access, retrieve data, confirm destruction)

Offensive Context

Supply chain attacks are among the most effective offensive techniques because they exploit trust relationships. Compromising a vendor with privileged access to multiple organizations is force multiplication — one breach yields many victims. SolarWinds, Kaseya, and Codecov demonstrated that even sophisticated organizations can be compromised through their vendors. Third-party risk management is the defensive response to supply chain offense — and it requires thinking about how an attacker would choose which vendor to target to maximize downstream access.