Working with third parties and vendors

Your security is only as strong as your weakest vendor. That marketing automation tool? It has your customer list. The analytics SDK? It runs on every user's device. The contractor's laptop? It has access to your codebase.

Third-party risk management isn't paranoia—it's acknowledging that your attack surface extends beyond what you directly control.

Why vendor security matters

The supply chain reality

Modern companies depend heavily on third parties:

Category	Typical count	Data access
SaaS tools	50-200 apps	Customer data, employee data, source code
Cloud providers	1-3	Everything
Payment processors	1-2	Financial transactions
Analytics/marketing	5-15	User behavior, contact info
Contractors	5-20	Varies widely
Open source	100s-1000s packages	Runs in your environment

Each one is a potential entry point for attackers.

Real-world vendor breaches

Okta (2022): An attacker compromised a third-party contractor (Sitel) supporting Okta's customer service. Through that access, they gained access to Okta's internal systems, affecting hundreds of Okta customers including Cloudflare, 1Password, and others.

SolarWinds (2020): Attackers inserted malicious code into SolarWinds' build process. The compromised update was distributed to 18,000 organizations including government agencies and Fortune 500 companies.

Codecov (2021): Attackers modified Codecov's bash uploader script. Any company using it in CI/CD had environment variables and secrets exposed. Affected companies included Twilio, Monday.com, and many startups.

Kaseya (2021): Ransomware group exploited vulnerabilities in Kaseya's VSA software, affecting 1,500+ businesses through managed service providers.

The pattern: attackers target vendors because they're a force multiplier—compromise one, access many.

Vendor risk assessment framework

Step 1: Vendor inventory

You can't secure what you don't know. Build a complete vendor inventory.

Vendor inventory template:

Vendor	Category	Data access	Business criticality	Contract owner	Last assessed
Salesforce	CRM	Customer PII, deals	Critical	Sales	2024-06
GitHub	Source control	Source code, secrets	Critical	Engineering	2024-09
Slack	Communication	All internal comms	High	IT	2024-03
Mailchimp	Marketing	Email lists	Medium	Marketing	2024-01
Gusto	HR/Payroll	Employee PII, SSNs	Critical	HR	2024-06

Discovery methods:

• Review credit card/expense statements
• Check SSO provider for connected apps
• Ask department heads what tools they use
• Scan network traffic for SaaS connections
• Use SaaS management tools (Zylo, Productiv, Torii)

Step 2: Vendor tiering

Not all vendors deserve equal scrutiny. Tier based on risk.

Tier	Criteria	Assessment depth	Review frequency
Tier 1: Critical	Access to sensitive data, business-critical, hard to replace	Full assessment, SOC 2 required	Annual
Tier 2: High	Access to some sensitive data or important operations	Standard assessment, SOC 2 preferred	Every 18 months
Tier 3: Medium	Limited data access, easily replaceable	Basic assessment	Every 2 years
Tier 4: Low	No sensitive data, commodity service	Self-attestation	On contract renewal

Tiering questions:

1. What data do they access? (Customer PII = Tier 1-2)
2. Could their compromise affect our customers? (Yes = Tier 1)
3. Are they in our critical path? (Yes = Tier 1-2)
4. How hard are they to replace? (Hard = increases tier)
5. Do they have privileged access? (Admin access = Tier 1)

Step 3: Assessment methods

Different tiers get different assessment approaches.

Tier 1 assessment checklist:

Area	Questions	Evidence required
Certifications	SOC 2 Type II? ISO 27001?	Audit report
Access control	How do they protect access to our data?	MFA policy, access controls
Encryption	Data encrypted at rest and transit?	Technical documentation
Incident response	How will they notify us of breaches?	IR plan, notification SLA
Data handling	Where is data stored? Can they export/delete on request?	Data processing terms
Subprocessors	Who else do they share data with?	Subprocessor list
Business continuity	What's their uptime SLA? DR plan?	SLA, DR documentation
Employee security	Background checks? Training?	Policy attestation

Tier 2-3 assessment:

• Request SOC 2 report or equivalent
• Complete a standardized questionnaire
• Review their security page/trust center
• Check for public breach history

Tier 4 assessment:

• Self-attestation (vendor confirms basic security)
• Review terms of service
• No detailed assessment needed

Standard security questionnaires

Don't create your own questionnaire from scratch. Use industry standards.

SIG (Standardized Information Gathering)

Maintained by Shared Assessments, SIG is the gold standard for vendor assessments.

SIG Lite vs SIG Core:

• SIG Lite: ~100 questions, suitable for most assessments
• SIG Core: 800+ questions, for high-risk/Tier 1 vendors

Domains covered:

• Security policy and organization
• Asset management
• Access control
• Cryptography
• Operations security
• Incident management
• Business continuity
• Compliance

Cost: Membership required ($2,500+/year), but widely used.

Alternative: Create a simplified questionnaire based on SIG topics.

CAIQ (Consensus Assessments Initiative Questionnaire)

From the Cloud Security Alliance, focused on cloud services.

Structure:

• 300+ questions across 17 domains
• Yes/No format with optional explanations
• Cloud-specific focus

Best for: Cloud services, SaaS evaluation

Cost: Free from CSA

VSAQ (Vendor Security Assessment Questionnaire)

Google's open-source questionnaire framework.

Features:

• Web-based assessment tool
• Customizable question sets
• Risk scoring

Best for: Developer-friendly organizations

Link: github.com/google/vsaq

Simplified questionnaire for small companies

If standard questionnaires are too heavy, use this 20-question version:

## Simplified Vendor Security Questionnaire

### Governance
1. Do you have a documented information security policy?
2. Is there a designated security officer or team?
3. Do you conduct security awareness training for employees?
4. Do you perform background checks on employees with data access?

### Access Control
5. Do you enforce MFA for all systems accessing our data?
6. How do you manage user access and deprovisioning?
7. Do you log and monitor access to customer data?

### Data Protection
8. Is customer data encrypted at rest?
9. Is customer data encrypted in transit (TLS 1.2+)?
10. Where is customer data stored geographically?
11. Can you delete our data upon contract termination?

### Incident Response
12. Do you have an incident response plan?
13. What is your breach notification timeframe?
14. Have you experienced any security incidents in the past 3 years?

### Compliance
15. Do you have SOC 2 Type II certification?
16. Are you GDPR compliant?
17. Do you use subprocessors? If so, how are they vetted?

### Technical Security
18. Do you perform regular vulnerability scanning?
19. When was your last penetration test?
20. Do you have a vulnerability disclosure/bug bounty program?

Contract security requirements

Assessment is pointless if you can't hold vendors accountable. Include security requirements in contracts.

Security Addendum template

# Security Addendum to [Agreement Name]

This Security Addendum is incorporated into the Agreement between 
[Customer] and [Vendor], effective [Date].

## 1. Security Controls

Vendor shall maintain the following security controls:

1.1 **Access Control**
- Multi-factor authentication for all systems accessing Customer data
- Role-based access control with least privilege
- Quarterly access reviews
- Deprovisioning within 24 hours of employee termination

1.2 **Encryption**
- Customer data encrypted at rest using AES-256 or equivalent
- Customer data encrypted in transit using TLS 1.2 or higher
- Encryption keys managed securely with regular rotation

1.3 **Monitoring and Logging**
- Security event logging for all systems processing Customer data
- Log retention of at least 12 months
- Monitoring for unauthorized access attempts

## 2. Security Assessments

2.1 Vendor shall maintain SOC 2 Type II certification (or equivalent) 
    and provide current report upon request.

2.2 Vendor shall conduct annual penetration testing by qualified 
    third party and remediate critical findings within 30 days.

2.3 Customer may conduct security assessments with 30 days written 
    notice, no more than once per year.

## 3. Incident Response

3.1 Vendor shall notify Customer of any Security Incident affecting 
    Customer data within 24 hours of discovery.

3.2 Notification shall include:
    - Nature and scope of the incident
    - Data types affected
    - Remediation steps taken and planned
    - Contact information for updates

3.3 Vendor shall cooperate with Customer's incident investigation 
    and provide requested information within 48 hours.

## 4. Data Protection

4.1 Vendor shall not access Customer data except as necessary to 
    provide the services.

4.2 Vendor shall not use Customer data for any purpose other than 
    providing the services.

4.3 Upon termination, Vendor shall delete or return all Customer 
    data within 30 days and certify deletion in writing.

4.4 Vendor shall maintain a list of subprocessors and notify Customer 
    of any additions 30 days in advance.

## 5. Audit Rights

5.1 Customer may audit Vendor's compliance with this Addendum with 
    30 days written notice.

5.2 Vendor shall maintain documentation sufficient to demonstrate 
    compliance with these requirements.

## 6. Remediation

6.1 If Vendor fails to meet any requirement, Customer may request a 
    remediation plan within 14 days.

6.2 Persistent non-compliance constitutes material breach, allowing 
    Customer to terminate the Agreement.

---
Agreed and accepted:

Customer: _______________  Date: _______
Vendor:   _______________  Date: _______

Key contract terms to negotiate

Term	What to ask for	Fallback
Breach notification	24-48 hours	72 hours max
Audit rights	Annual right to audit	Accept SOC 2 in lieu of audit
Data deletion	30 days post-termination	90 days acceptable
Subprocessor approval	Advance notice and approval right	Notice only
Liability cap	Uncapped for security breaches	12-24 months fees
Insurance	$5M+ cyber liability	Match your coverage
SLA for security	99.9% uptime, 4hr response	Negotiable

When vendors push back

Objection	Your response
"We don't sign custom security addenda"	"Can we review your DPA/security terms? We may accept those if sufficient."
"SOC 2 covers everything"	"SOC 2 is great. We still need breach notification and data deletion terms in contract."
"Our lawyers won't approve liability terms"	"What liability cap will you accept? We're flexible on the number."
"We don't give audit rights"	"We'll accept SOC 2 Type II in lieu of direct audit."
"We can't change subprocessor notification"	"Can you commit to not adding new subprocessors without notice?"

Ongoing vendor monitoring

Assessment isn't one-time. Vendor risk changes.

Continuous monitoring

Signal	Source	Action
Security incidents	News, vendor notifications	Review impact, request details
SOC 2 report updates	Annual from vendor	Review for new findings
Subprocessor changes	Vendor notifications	Assess new subprocessors
Leadership changes	News, LinkedIn	Note potential impact
Financial trouble	News, credit ratings	Assess business continuity risk
Acquisition	News	Review new parent's security posture

Monitoring tools

Tool	What it does	Cost
SecurityScorecard	External security rating	Paid
BitSight	External security rating	Paid
UpGuard	Vendor risk monitoring	Paid
Google Alerts	News monitoring	Free
Have I Been Pwned	Breach monitoring	Free (domain search)

Quarterly vendor review

## Quarterly Vendor Security Review — Q4 2024

### Tier 1 Vendors

| Vendor | SOC 2 current? | Incidents? | Contract expires | Action needed |
|--------|----------------|------------|------------------|---------------|
| Salesforce | Yes (exp. 03/25) | None | 06/2025 | Request updated report |
| GitHub | Yes | None | 12/2025 | None |
| AWS | Yes | None | Ongoing | None |
| Gusto | Yes | None | 01/2025 | Renewal review |

### Tier 2 Vendors

| Vendor | Last assessed | Issues | Action needed |
|--------|---------------|--------|---------------|
| Mailchimp | 2024-01 | None | Reassess 2025-07 |
| Intercom | 2024-03 | None | None |
| Datadog | 2024-06 | None | None |

### New Vendors Added This Quarter

| Vendor | Tier | Assessment status | Owner |
|--------|------|-------------------|-------|
| Notion | 2 | Completed | IT |
| Figma | 3 | In progress | Design |

### Action Items

1. Request updated SOC 2 from Salesforce (due 03/25)
2. Complete Figma assessment
3. Negotiate security addendum for Gusto renewal

Special cases

Open source dependencies

Open source is a vendor you don't have a contract with.

Risk factors:

• Maintainer burnout (single maintainer, inactive repo)
• Malicious package updates (typosquatting, account takeover)
• Known vulnerabilities (unpatched)

Mitigations:

• Use dependency scanning (Dependabot, Snyk, Trivy)
• Pin versions, don't use latest blindly
• Review major version updates
• Monitor for security advisories
• Consider alternatives for abandoned packages

Resources:

• OpenSSF Scorecard — Automated security health metrics for open source
• deps.dev — Open source package insights
• Snyk Advisor — Package health scores

Contractors and consultants

Contractors are high-risk: often temporary, using personal devices, less vetted than employees.

Contractor security requirements:

• Background check before access
• NDA signed before any data access
• Use company-managed devices (or require MDM on personal)
• Limited access scope—only what's needed
• Access reviewed and revoked at project end
• Security training same as employees

Contractor access template:

## Contractor Access Request

Contractor name: [Name]
Company: [Company]
Project: [Description]
Duration: [Start] to [End]
Sponsor: [Internal employee]

### Access requested

| System | Access level | Justification | Approved by |
|--------|-------------|---------------|-------------|
| GitHub | Read (repo X) | Code review | [Lead] |
| Jira | View/Comment | Project tracking | [PM] |
| Staging env | Deploy | Testing | [DevOps] |

### Prerequisites

- [ ] NDA signed
- [ ] Background check completed
- [ ] Security training completed
- [ ] MFA configured on company IdP
- [ ] Acceptable use policy acknowledged

### Access end process

- [ ] Access revocation date: [Date]
- [ ] Responsible for revocation: [Person]
- [ ] Work product transferred: [Yes/No]

Acquisitions and mergers

When your company acquires or is acquired, vendor risk changes.

Acquiring a company:

• Inherit their vendor relationships (and risk)
• Audit their vendor inventory
• Apply your vendor standards to new vendors
• Plan integration timeline

Being acquired:

• Acquirer will audit your vendor posture
• Clean vendor inventory demonstrates maturity
• Documented assessments accelerate due diligence

Common mistakes

1. Shadow SaaS — Departments adopt tools without IT/security knowledge. Implement procurement process.

2. One-time assessment — Assessing at onboarding only. Vendor risk evolves; reassess periodically.

3. Trusting certifications blindly — SOC 2 doesn't mean secure. Read the report, look for exceptions.

4. No contract terms — Accepting vendor's terms without negotiation. At minimum, negotiate breach notification.

5. Ignoring subprocessors — Your vendor uses vendors. A breach at their subprocessor affects you.

6. Over-assessing low-risk vendors — 100-question survey for a $50/month tool wastes everyone's time.

7. No offboarding process — Vendor contracts end, but their access might not. Revoke and audit.

8. Assuming cloud = secure — AWS/GCP/Azure are secure; how you configure them isn't their responsibility.

Expert tips

The "10-minute vendor check"

For quick triage of any vendor:

1. Check their security page — Do they have one? Is it detailed?
2. Look for SOC 2/ISO 27001 — Listed publicly?
3. Search "[vendor name] breach" — Any incidents?
4. Check SecurityScorecard/BitSight — What's their external score?
5. Review their Trust Center — Do they publish subprocessors?

This gives you 80% confidence in 10 minutes.

Use the vendor's SOC 2 report effectively

SOC 2 reports are dense. Focus on:

1. Section IV: Description of the System — What's in scope? Is it comprehensive?
2. Section V: Principal Service Commitments and System Requirements — What did they commit to?
3. Tests of Controls — Look at "exceptions" or "deviations." These are failures.
4. Complementary User Entity Controls (CUECs) — What's YOUR responsibility?

Red flags:

• Many exceptions without remediation
• Narrow scope (e.g., only one product, not infrastructure)
• Type I only (point in time, not sustained)

Building a vendor security culture

Make vendor security everyone's job:

• Procurement: Include security review in purchasing process
• Department heads: Own their tools' vendor risk
• Security Champion: Set standards, assist assessments
• Legal: Include security terms in all contracts

Vendor risk scoring

Quantify vendor risk with a simple model:

Vendor Risk Score = (Data Sensitivity + Access Level + Criticality) × Security Posture

Scale 1-5 for each factor:

Data Sensitivity:
1 = No sensitive data
3 = Internal/employee data
5 = Customer PII, financial, health

Access Level:
1 = View only, limited scope
3 = Read/write, moderate scope
5 = Admin access, privileged operations

Criticality:
1 = Nice to have, easily replaced
3 = Important, some effort to replace
5 = Critical, business stops without it

Security Posture (inverse scoring):
1 = Strong (SOC 2 Type II, no issues)
3 = Moderate (SOC 2 Type I, some gaps)
5 = Weak (No certifications, poor practices)

Example calculations:

Vendor	Data	Access	Critical	Posture	Score	Tier
Salesforce	5	4	5	1	14	1
GitHub	4	5	5	1	14	1
Random SaaS	3	2	2	4	28	2
Design tool	1	1	1	2	6	4

Higher score = higher risk. Score > 30 = consider alternatives.

Vendor offboarding checklist

When a vendor relationship ends:

## Vendor Offboarding Checklist

Vendor: [Name]
End date: [Date]
Reason: [Contract end / Replaced / Breach]
Owner: [Name]

### Access revocation
- [ ] Remove vendor accounts from all systems
- [ ] Revoke API keys/tokens issued to vendor
- [ ] Remove from SSO/IdP if applicable
- [ ] Disable integrations between systems
- [ ] Remove from Slack/Teams channels
- [ ] Revoke any certificates issued

### Data handling
- [ ] Request data deletion confirmation in writing
- [ ] Export any data we need to retain
- [ ] Verify deletion timeline per contract
- [ ] Update data processing records

### Credentials
- [ ] Rotate any credentials vendor had access to
- [ ] Review and rotate API keys for connected services
- [ ] Invalidate any sessions

### Documentation
- [ ] Update vendor inventory (mark inactive)
- [ ] Archive assessment documentation
- [ ] Archive contract documents
- [ ] Note reason for termination

### Verification
- [ ] Confirm no vendor access remains (test)
- [ ] Receive deletion certificate if required
- [ ] Close out any open tickets/issues

Completed by: _______________ Date: _______
Reviewed by: _______________ Date: _______

Quick wins for vendor security

1. Enable SAML/SSO everywhere — Offboarding becomes automatic
2. Require SOC 2 for Tier 1 — Non-negotiable for critical vendors
3. Block unauthorized SaaS — Use CASB or network controls if needed
4. Annual contract review — Opportunity to add security terms

Workshop: vendor security program

Part 1: Vendor inventory (2 hours)

1. Compile complete list of vendors

   • Review finance/expense data
   • Check SSO connected apps
   • Survey department heads

2. Populate inventory template with:

   • Vendor name and category
   • Data access type
   • Business criticality
   • Contract owner
   • Contract end date

Deliverable: Complete vendor inventory spreadsheet

Part 2: Tiering and assessment planning (1 hour)

1. Assign tier to each vendor (1-4)
2. Identify assessment gaps:
   • Which Tier 1 vendors lack SOC 2?
   • Which need questionnaire?
3. Create assessment schedule

Deliverable: Tiered vendor list with assessment plan

Part 3: Security addendum (1 hour)

1. Customize the Security Addendum template for your company
2. Identify contracts up for renewal in next 6 months
3. Plan negotiation for security terms

Deliverable: Security addendum ready for contracts

Part 4: Contractor security process (30 minutes)

1. Document contractor access request process
2. Define prerequisites (NDA, background check, training)
3. Establish offboarding checklist

Deliverable: Contractor security process document

How to explain this to leadership

The pitch:

"We trust 75+ vendors with our data and systems. Right now, we don't have visibility into their security practices. One compromised vendor could give attackers access to our customer data. I want to build a simple process to assess, monitor, and hold vendors accountable."

The risk:

"The average supply chain attack affects hundreds of companies. SolarWinds compromised 18,000 organizations. We can't control our vendors, but we can choose vendors carefully and set expectations in contracts."

The ask:

"I need 40 hours to build the initial vendor inventory and assessment process. Going forward, 2-3 hours per new vendor and 4 hours quarterly for reviews."

The value:

• Reduced risk from vendor compromise
• Faster onboarding (established process)
• Contract leverage when issues arise
• Demonstrates maturity to customers and auditors

Conclusion

Vendor risk is the security problem you don't control. You can't fix their code, train their employees, or monitor their infrastructure. What you can do is choose vendors carefully, set contractual expectations, and know what to do when one of them gets compromised.

The vendor questionnaire you skip today is the incident report you write next year.

What's next

Next: threat intelligence and monitoring — how to stay informed about attacks targeting companies like yours.