5.3 Third-party risk
📘CompTIA Security+ (SY0-701)
1. Understanding Vendor Monitoring
When an organization works with a third-party vendor (such as a cloud service provider, software developer, or data processing company), it must continuously monitor that vendor to ensure it remains secure, compliant, and reliable over time.
Vendor monitoring is not a one-time process. Even if a vendor passes an initial assessment, their security posture can change due to staff changes, new technology, or cyber threats.
Monitoring helps detect such issues early before they affect the organization’s data, systems, or operations.
2. Why Vendor Monitoring is Important
- Protects sensitive data: Vendors often handle or access company data; monitoring ensures they protect it properly.
- Ensures compliance: Many laws (like GDPR or HIPAA) require organizations to ensure their vendors also follow proper data protection standards.
- Reduces risk: Regular monitoring identifies new security issues before they become breaches.
- Maintains trust: Demonstrates accountability to customers, regulators, and stakeholders.
3. Methods of Vendor Monitoring
There are many methods used to monitor vendors. For the exam, you should focus on the two key terms:
Questionnaires and Rules of Engagement.
A. Questionnaires
Definition
A vendor questionnaire is a structured list of questions that an organization sends to its vendor to assess their security practices, policies, and compliance status.
It’s a self-assessment tool that helps the organization verify whether the vendor still meets the agreed-upon security requirements.
Purpose of Questionnaires
- To verify that vendors are following security controls (e.g., access control, encryption, patch management).
- To ensure they maintain compliance with regulations or contractual obligations.
- To detect changes in risk posture — for example, if they changed systems, cloud providers, or subcontractors.
- To identify gaps or weaknesses in vendor practices before they cause a problem.
Typical Areas Covered in a Vendor Security Questionnaire
- Access Control – How does the vendor manage user accounts and limit access to data?
- Incident Response – What is their process for responding to a data breach?
- Data Protection – How do they encrypt data at rest and in transit?
- Patch Management – How often do they apply software updates and security patches?
- Business Continuity and Disaster Recovery (BC/DR) – Can they continue operations if a disaster occurs?
- Physical Security – How do they protect data centers and offices?
- Compliance – Do they follow frameworks like ISO 27001, SOC 2, or NIST standards?
- Third-party Relationships – Do they subcontract any services, and how are those monitored?
Frequency of Questionnaires
- Usually sent annually or bi-annually depending on the vendor’s risk level.
- High-risk vendors (e.g., those handling sensitive customer data) may require more frequent reviews.
Example in an IT Environment
A cloud hosting provider that stores customer databases might receive an annual security questionnaire from its client.
The client’s security team reviews the answers and supporting evidence (like audit reports or policy documents) to confirm that the vendor continues to meet all security and compliance requirements.
B. Rules of Engagement
Definition
Rules of engagement (RoE) are formal, written agreements that define how security assessments or testing of a vendor’s systems will be conducted.
They outline what activities are allowed, what is prohibited, when the testing will occur, and how results will be shared.
Purpose of Rules of Engagement
- To set clear boundaries and expectations for any assessment or testing.
- To protect both parties from misunderstandings, legal issues, or operational disruptions.
- To ensure testing is authorized and does not violate laws or service agreements.
- To establish communication protocols before, during, and after testing.
When Rules of Engagement Are Used
Rules of engagement are most commonly used before conducting:
- Penetration testing of vendor systems.
- Vulnerability assessments.
- Security audits or compliance reviews.
- Incident response exercises or tabletop simulations involving vendor participation.
Key Elements of Rules of Engagement
- Purpose and Scope
- Defines what systems, networks, or applications will be tested.
- States what the test aims to achieve (e.g., identify exploitable vulnerabilities).
- Authorized Activities
- Lists actions testers can perform (e.g., port scanning, password testing, or simulated phishing).
- Prohibited Activities
- Specifies what must not be done (e.g., no denial-of-service testing or data destruction).
- Schedule and Duration
- States the time frame during which testing will occur to avoid disrupting operations.
- Communication Plan
- Defines who to contact in case of an emergency or system issue during testing.
- Confidentiality and Reporting
- Explains how results will be documented, who can access them, and how they will be shared securely.
- Liability and Authorization
- Confirms that both parties agree and authorize the testing, protecting the testers legally.
Example in an IT Environment
Before a company’s internal security team performs a penetration test on a third-party vendor’s application, both sides sign a rules of engagement document.
It defines the scope (such as testing only the test environment), the time window, and reporting expectations to prevent misunderstandings or accidental disruptions.
4. Integrating Questionnaires and Rules of Engagement into Vendor Monitoring
Both tools are essential parts of an ongoing vendor risk management process:
| Process Step | Description | Tools Used |
|---|---|---|
| Initial assessment | Evaluate vendor before contract | Questionnaires, audits |
| Ongoing monitoring | Regular review of vendor’s practices | Questionnaires, reports |
| Active testing | Perform authorized security tests | Rules of Engagement |
| Response and remediation | Address issues found during monitoring | Corrective actions, updated contracts |
5. Exam Tip Summary
For the CompTIA Security+ (SY0-701) exam, remember these key points:
| Concept | Definition / Purpose |
|---|---|
| Vendor monitoring | Continuous oversight of vendor’s security, compliance, and performance. |
| Questionnaire | A structured set of questions used to assess vendor’s security posture and compliance. |
| Rules of Engagement (RoE) | Written guidelines that define how security testing or assessments will be performed on vendor systems. |
| Goal of monitoring | To ensure vendors remain secure, trustworthy, and compliant over time. |
| Frequency | Based on risk level — high-risk vendors are monitored more frequently. |
✅ In short:
Vendor monitoring ensures that third parties continue to protect your organization’s data and meet all security and compliance requirements.
Questionnaires collect ongoing security information, while rules of engagement ensure that any testing or assessment of vendor systems is safe, authorized, and controlled.
