Question THRD-04

Do you have an implemented third-party management strategy?

Standard Guidance

Robust answers from the vendor improve the quality and efficiency of the security assessment process.

Answering "NO"

State your plans to implement a third-party management strategy.

Answering "YES"

Provide additional information that may help analysts better understand your environment and how it relates to third-party solutions.

Reason for Question

Every organization needs to actively understand and manage their supply chain and the vendor's understanding of who their third-party partners are and their ability to manage those relationships effectively and consistently speaks to the amount of risk your institution is taking on by contracting with them. Modern technologies allow for rapid deployment of features and with them, come changes to an established code environment. The focus of this question is to verify a vendor's practice of regression testing their code and verifying that previously nonexistent risks are not introduced into a known, secured environment.

Follow-Up Inquiries

If "No," inquire if there are plans to implement these processes. Ask the vendor to summarize their decision behind not scanning their assets for vulnerabilities. Be sure that the vendor answers for both systems AND applications. Do not let good practices in one overshadow deficiencies in the other.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]