Do You Have a Vendor Security Check List? You Should!

Thursday, May 09, 2013

Michael Fornal


So a vendor calls you and wants to sell you a new application for your organization that will help you to be more secure and increase productivity they claim. Good thing you have that vendor security checklist so that you can see if this new application and vendor conforms to the security controls that your organization has put in place. Wait… you don’t have a checklist or know what one is? Let me help you with that.

A security check list is a list of security controls that a vendor or application must meet. These controls can range from how storage back up  is to be done, to password complexity requirements. Having a checklist can help you in deciding if the application or vendor conforms to your company’s  security requirements.

When reviewing  the checklist  and analyzing the vendors answers, if you are seeing gaps or have questions, make sure you call the vendor and get your questions answered. Making sure that the vendor or application conforms to  your company’s security controls is a must and really a vendor security review should be done yearly or at the very least every other year.

So this information is great you say, but how do I go about creating a security checklist?

Resources for creating a security checklist can be found on the National Vulnerability database website as well as the Cyber Security Division on the NIST website.

Creating a vendor security checklist can be a difficult task but with help from the websites above and reviewing your company’s polices you should be able to create a list that will help you in deciding if a vendor or application will conform to your company’s security requirements.

Possibly Related Articles:
General Firewalls Network Access Control Budgets Enterprise Security Policy Security Awareness Security Training Privacy Vulnerabilities Webappsec->General
Information Security
Analysis security vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.