Skip to main content

Three Steps for Management and Remediation of Security Vulnerabilities with Third Parties

May 24, 2017

Over the years, security organizations have had to deal with many vulnerabilities that required quick response and remediation. Some examples that come to mind include Heartbleed, Shellshock, numerous specific vendor product vulnerabilities, and as we saw recently: WannaCry. All of these advisories require our organizations to quickly assess the exposure and impact; however, many of us stop at our own infrastructure. As we have seen with mobile, cloud and continued outsourcing, maintaining focus within our own virtual walls is not enough. There is significant risk and exposure to information if we have decided to leverage a service offering or third party.  


So, what are the different approaches organizations are taking when they realize they need to understand the exposure of a vulnerability to a third-party provider? My answer is, there are three common or leading approaches:  

  1. Understand your third-party risk program and ensure that program assessments are conducted on schedule or when developing a relationship with a new third party.  
  2. Have a specific questionnaire sent out whenever there is a vulnerability that needs to be assessed. 
  3. Organizations must have continuous vulnerability monitoring your third parties and/or assess the third parties for the vulnerability. 

In this article we will review each approach and the benefits and challenges with them when used independently.

Third-Party Assessments

For many of us, we use our third-party risk management program to assess our vendors or have our third parties attest to their controls; then we review, validate or document those controls. While this approach is a valid practice, it does not address cases when a vulnerability is released and is missing valuable details on if the vulnerability is being addressed. When you are evaluating whether the vendor is adequately responding to the vulnerability, you will need to build and maintain a program where new vulnerabilities can be addressed in a timely and consistent model.  As an example, you may be looking at a third-party software to install in your organization, or you may be validating a software as-a-service offering, where you may want to be more focused on how software is developed or patched, or how vulnerabilities are assessed and reviewed.

Program reviews are beneficial to understand the processes and procedures used to protect the organization when a vulnerability is announced, however, they do not provide insight regarding the exposure to the vulnerability and what the action plan is for addressing it. For this, many organizations will send off a simple questionnaire out asking questions specifically about the vulnerability. 

Questionnaires and Vulnerability Monitoring

Sending a specific questionnaire is effective for understanding the specifics of the issue or vulnerability at hand, but it is only one piece of the puzzle. Once the questionnaire is completed, organizations can still struggle, as the factors are not brought in to a standard interface for risk and issues management, making the process very manual and difficult to track. To address this, organizations have started to leverage solutions that will monitor third parties for common external vulnerabilities. Leveraging these monitoring solutions helps scale and provides an effective way to get information. However, these only show external vulnerabilities and do not dig into “behind the firewall” or vulnerabilities in products like CVE-2017-6867 - Siemens SIMATIC WinCC. If you require knowledge about your vendors’ treatment of vulnerabilities in their internal networks, you still need a questionnaire. The manual questionnaire approach supports many valuable items, such as information about a vendor’s remediation plan.  

Over the years I have learned that necessity drives innovation. To ensure their vulnerability response programs are effective, organizations must understand their third-party risk programs and execute timely program reviews. Be prepared to distribute vulnerability specific questionnaires and continually monitor your third parties. In order to effectively scale and manage all the pieces and parts that come along with running a third-party risk management program, the ability to aggregate all information into a single repository is key to success. 

    James Robinson

By: James Robinson

Vice President, Third-Party Risk Management

See More

Related Blogs

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

June 12, 2014

Common Failures of Third-Party Risk Assessments

Third-party risk analysis – whether used to evaluate partners, service providers or suppliers – is a necessity in today’s business landscape. Assessin...

See Details

April 06, 2017

Three Steps to Enhancing Your Third-Party Risk Program

In the world of third-party and vendor risk management, many new practices are being adopted. Over the past few weeks, members of Optiv’s third-party ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

June 04, 2014

Managing Third-Party Risk

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, t...

See Details

September 12, 2017

Third-Party Risk Program Assessment

Learn how to build a solid foundation for your third-party risk program.

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.