The Anti-Checklist Manifesto

Explore a critical examination of Third Party Risk (3PR) assessment methodologies in this thought-provoking conference talk. Delve into the shortcomings of traditional checklist-based approaches and discover a more effective strategy for evaluating vendor trustworthiness. Learn how to craft targeted questions that serve as proxies for an organization's commitment to security and trust. Gain insights into a proposed ten-question framework designed to streamline the vendor assessment process and prevent wasted resources. Understand the importance of involving security teams early in the procurement process and the limitations of relying solely on certifications like SOC2. Equip yourself with practical knowledge to improve your organization's third-party risk management practices and make more informed decisions when selecting vendors.

Intro
The Anti-Checklist Manifesto Thoughts On Assessing Third Party Risk
Chances are, a business team set the deliverables The legal team discussed the contract terms Only then did the compliance and infosec team get brought in Odds are, engineering wasn't consulted at all
What Is To Be Done?
Ask questions. Up front.
A preliminary security speed bump at the start of a bake-off can prevent teams from wasting their time.
Speed bump. No more than 10 questions.
To work, these questions must be simple, and proxies for Security'.
Do you encrypt all our data in transit, and at rest within your systems? Are all our data segregated from other customers' data?
Please describe the architecture and segregation of customer data within S3 buckets/blob/etc storage.
Describe your internal authentication regime.
Please describe how you maintain least-privilege in your environments.
Do any of your internal systems use static credentials? How do you audit their use?
How do you manage secrets in your production and non-production environments?
Do you have a named executive responsible for security? What is their title, and to whom in the organization do they report?
Do you have written information security, data security, encryption, acceptable use, and physical security policies?
Does your company require all engineers to undergo regular secure coding training?
PISA: security questions before a bake-off. You still need DD- this just disqualifies providers. SOC2 is not a free pass [butland] Lack of SOC2 isn't a disqualifier (Use VSA Core) Seek sensible answers Stop the Spreadsheet Cat Rodeo.