Domain 5 · 5.3 Third-Party Risk

5.3.2 Vendor Selection

Due diligence, conflict of interest.

14 min

Vendor selection is the process of vetting, evaluating, and choosing third-party partners and suppliers to ensure they meet an organization’s security, operational, and financial requirements.

Third-Party Risk Management (TPRM) Managing vendors is a continuous lifecycle that begins with selection and ends with termination. Security professionals must assess the supply chain to ensure the availability of hardware, software, and services. - Due Diligence: The proactive research performed to ensure a vendor is reliable and secure. This includes reviewing vendor websites, support forums, and vulnerability feeds (like NVD) to check the vendor's track record. - Conflict of Interest: A situation where an individual's private interests interfere with professional obligations. Selection processes must be transparent to prevent biased decision-making during the bidding phase. - Supply Chain Assessment: Evaluating the security of the components that make up a product. This ensures that third-party data handling meets internal standards and that alternative suppliers are identified for critical components.

Product Lifecycles and Support Vendors provide critical updates and security patches that expire over time. Monitoring these dates is vital for risk management. - End of Life (EOL): The point at which a vendor stops marketing or selling a product. While the product is no longer for sale, the vendor may still provide patches or technical support for a limited time. - End of Service Life (EOSL): A critical security milestone where the vendor officially ceases all support, including security updates and bug fixes. Running EOSL software is a major vulnerability. - Vendor-Neutral vs. Vendor-Specific: Using vendor-neutral standards (like CompTIA certifications) ensures broad foundational knowledge, while vendor-specific guides provide deeper, specialized hardening steps for particular platforms (e.g., Cisco ACLs or Windows Server hardening).

Asset Valuation in Selection Choosing a vendor often depends on the quantitative risk associated with their products. - Replacement Cost: The price to buy new equipment if a vendor's product fails. - Revenue Loss: The amount of money lost during downtime. If a vendor has a slow delivery time, the daily revenue loss may far exceed the cost of the hardware itself. - Depreciation: The decrease in asset value over time, which affects budgeting for future vendor replacements.

Quick Recall - Due Diligence: Identifying risks *before* signing a contract via research and audits. - EOL: Product is no longer sold, but might still have some support. - EOSL: Support has completely ended; no more security patches. - Supply Chain: Includes hardware, software, and the services used to deliver a product. - Research Sources: Academic journals, RFCs, conferences (e.g., Black Hat), and social media feeds.