5.3 Third-party risk
📘CompTIA Security+ (SY0-701)
When an organization decides to work with a third-party vendor (for example, a cloud provider, software developer, or managed service provider), it must carefully evaluate and select the right vendor.
This process helps reduce security, compliance, and operational risks that can come from working with outside companies.
Vendor selection involves two key parts:
- Due diligence
- Conflict of interest
Let’s go through both in detail.
1. Due Diligence
Definition:
Due diligence is the process of carefully checking and verifying a vendor’s background, reputation, and ability to meet your organization’s security, privacy, and compliance requirements before signing any contract or partnership.
In simple words — it means doing your homework on a vendor before trusting them with your systems or data.
Why Due Diligence Is Important
- Prevents working with untrustworthy or insecure vendors.
- Ensures vendors follow security best practices and comply with laws and regulations.
- Helps reduce risks like data breaches, service outages, and legal issues.
- Allows you to make informed business decisions.
Due Diligence Activities
Below are the key due diligence checks an organization performs during vendor selection:
a. Security Posture Review
Evaluate the vendor’s overall security controls and policies.
Check whether they follow security frameworks such as ISO 27001, SOC 2, NIST, or CIS Controls.
For example, an IT vendor should show how they secure their data centers, employee access, and software development process.
b. Compliance Verification
Verify that the vendor follows industry and legal requirements, such as:
- GDPR, HIPAA, or PCI DSS (depending on the data handled)
- Local data protection laws
This ensures the vendor does not expose your organization to legal penalties.
c. Financial Stability
Check if the vendor is financially stable enough to continue operating long-term.
If a vendor goes out of business, your data or services could be lost or disrupted.
d. Reputation and Background Check
Research the vendor’s track record — have they suffered major security breaches, lawsuits, or compliance violations?
Look for customer reviews, audit reports, or certifications that confirm their reliability.
e. Technical Capability
Confirm that the vendor has the technical expertise and resources needed to deliver the product or service securely.
For example, a cloud service provider should have redundancy, encryption, and incident response procedures in place.
f. Contract and SLA (Service Level Agreement) Review
Review contracts to make sure security, privacy, and uptime expectations are clearly written.
SLAs should define things like:
- Data protection responsibilities
- Response time in case of security incidents
- Penalties for non-compliance or service failure
g. Audit and Assessment Rights
Ensure your organization retains the right to audit the vendor’s security practices and request regular security assessments.
h. Data Handling and Access Control
Understand how the vendor stores, processes, and accesses your organization’s data.
Confirm they use encryption, access restrictions, and secure disposal methods when data is no longer needed.
Outcome of Due Diligence
After the due diligence process, the organization decides:
- Whether the vendor is trustworthy and secure enough to work with, or
- If the vendor poses too much risk and should be rejected.
2. Conflict of Interest
Definition:
A conflict of interest occurs when a person or organization involved in the vendor selection process has personal, financial, or professional interests that could influence their judgment or decision unfairly.
In other words, someone involved in choosing the vendor could benefit personally from the outcome — which can lead to biased or risky decisions.
Why It’s a Risk
Conflicts of interest can:
- Cause unfair vendor selection based on personal gain instead of security or business needs.
- Lead to security weaknesses if the chosen vendor isn’t truly the best option.
- Damage the organization’s reputation and compliance posture.
Examples in an IT Context
- An IT manager selects a software vendor owned by a relative.
- A security officer accepts gifts or money from a vendor in exchange for choosing their product.
- A procurement employee previously worked for a vendor they are now reviewing and fails to disclose this relationship.
How to Manage or Prevent Conflicts of Interest
- Disclosure Requirements – Employees must report any personal or financial relationships with vendors being considered.
- Separation of Duties – Multiple people should be involved in the vendor selection process to reduce bias.
- Independent Reviews – External or third-party reviewers can evaluate vendor proposals for fairness.
- Ethics and Compliance Policies – Organizations should have clear policies against bribery and favoritism.
- Audit Trails – Keep documentation of the vendor selection process for transparency.
Summary Table
| Concept | Description | Goal |
|---|---|---|
| Due Diligence | Process of evaluating a vendor’s security, compliance, and reliability before contracting. | Ensure the vendor meets the organization’s security and legal requirements. |
| Conflict of Interest | When personal or financial interests influence vendor selection. | Maintain fairness, transparency, and objectivity during the selection process. |
Key Takeaways for the Exam
- Due diligence ensures a vendor is secure, compliant, and reliable.
- It includes reviewing security controls, compliance certifications, SLAs, financial health, and data handling practices.
- Conflict of interest must be avoided to ensure unbiased and secure vendor selection.
- Security+ focuses on understanding how vendor relationships can impact organizational risk, and how proper vendor selection processes help minimize third-party risks.
