Book Review: Assessing Vendors 27
benrothke writes "Every organization has external software, hardware and 3rd-party vendors they have to deal with. In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more. Often the software and hardware solutions are critical to the infrastructure and security of the organization. If the vendors don't have effective information security and privacy controls in place, your data is at risk. In addition, when selecting a product to secure your organization, how do you ensure that you are selecting the correct product? All of this is critical in the event of a breach. When the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors." Keep reading for Ben's review.
With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendorsis a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization. | Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors | |
| author | Josh More |
| pages | 94 |
| publisher | Syngress |
| rating | 8/10 |
| reviewer | Ben Rothke |
| ISBN | 978-0124096073 |
| summary | Good intro to use to start a vendor assessment program |
Many large organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement. For those that don't, this 80 page reference is a good place to start.
The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.
While the book has a healthy dose of checklists, it is not about simply filling out the checklists and adding up the totals. Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.
An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process. Too many organizations simply take the vendors word, without performing effective due diligence. Rarely will one find a company where too many questions were asked to the vendor.
Given that the book is only 80 pages, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities. Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.
The main thrust of the first chapter is around preliminary vendor research. It shows how to identify vendors for specific products and build criteria for effective vendor selection.
An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep your needs first in mind. Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary.
One of the topics in chapter 3 is testing confidentiality. When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is. The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.
The book provides a lot of common sense advice that may not be intuitive to many people. One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products. This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets. While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless.
In chapter 4, the book does a good job of showing how to score vendors. It details how you can create questionnaires and use the data to assist in your selection. The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%. More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range.
A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust. If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.
After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation. It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.
Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in. The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.
Selecting a vendor is not a trivial process, and it not intuitive to many organizations. Given the breadth of the topic, the book is a great place to start your work on this important process.
The book doesn't claim to be an all-inclusive resource for the topic. And at 80 pages, one should not expect it to be.
But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.
Reviewed by Ben Rothke.
You can purchase Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.
Re: (Score:2)
There aren't any "NSA" guys. There are contractors contracted out by other contractors run by contractors.
Re: (Score:1)
Re: (Score:1)
what about cutting the PHB out of the loop (Score:2)
what about cutting the PHB out of the loop or giving the IT staff some say.
Some time they just get some vendor dumped on them and the PHB says make this software work.
Re: (Score:1)
Re: (Score:3)
http://en.wikipedia.org/wiki/Pointy-haired_Boss [wikipedia.org]
Re: (Score:1)
Re: (Score:2)
You asked. If you did not want to know don't ask.
In this situation the GP clearly meant a boss like that one, since they are pretty common.
Re: (Score:1)
Wait, what? (Score:3)
You mean I can't just pick whichever vendor brings the best hookers and drugs any more?
Re: (Score:1)
open FW only for selected IP's (Score:2)
have the vendors give you the IP they are coming from
create a FW rule for those IP's only for specified ports and only to the IP's they need to access
if a vendor can't give you a static IP then they are probably amateurs or a fly by night shop and risky to deal with
Re: (Score:2)
That seems like one option, but I still can't figure out why you would even do that.
Vendors sell you stuff, why do they need to see your network? Can't your employees give the vendor the data they need?
Re: (Score:2)
support or general data transfer
we have vendors where our apps send data to their applications via dedicated circuits and vice versa
Re: (Score:2)
That all sounds like you let them access to just what they need over just those circuits or IPs.
Re: (Score:2)
have the vendors give you the IP they are coming from create a FW rule for those IP's
That will not help if vendor gets infected. Restricting target ports helps, but the vendor probably have the ability to modify the application, which runs on a machine inside your network. Therefore that machine should probably be confined without ability to initiate communications to anywhere
Re: (Score:1)
Assessing the best vendors... (Score:2)
Well, you could actually talk to others who you feel have a fair amount of credibility.
For example, almost all our servers (> 150) are from Sun (a very few), Penguin (a lot) and Dell (a lot). We decided several years ago to work to keep anyone from buying Sun/Oracle again.[1] A year or so ago, we decided we really didn't want Penguin any more.[2] I have not-wonderful opinions of HP[3], except for their laser printers.
Or third party vendors: these folks are Approved! (Yeah, but their website is user hosti