Question

Working with Vendors

• Why is due diligence necessary when dealing with external vendors?
• What is one suggestion you have regarding securing data as it is in-transit to and from these vendors?
• What are two security protocols that should be part of the vendor's data operations? For example, if the data includes PII/SPII information, is adherence to external regulations and guidelines the responsibility of the vendor or your organization?

Respond to the following in a minimum of 175 words:

Answer 1

Question: Why is due diligence necessary when dealing with external vendors?

Answer:A third party vendor is an entity that provides services and goods. While working with external vendors, due diligence is required to ensure :

• To keep a check on the financial stability and instability of the vendors and ensure that it is ethical an strong to meet long term requirements.
• Due diligence reviews helps banks to keep a check and compile various responses.
• To ensure the security of non public information by means of various security resources.
• To cope up with the regulatory expectations as the regulatory body expects detailed guidance and best practices to be used for the smooth functioning of the frameworks under the third party risk management
• to ensure good business senses as it is a good practise to keep a check on every aspect and prevent any unwanted risk.

Question:What is one suggestion you have regarding securing data as it is in-transit to and from these vendors?

Answer:The data while is it transit by means of vendor resources are vulnerable to attack that can leave enterprises broken. Therefore data protections that are robust across ends and networks to prevent data during its in transit and also at the final stage.So the best method to prevent data during vendor transit is data encryption.

The other methods of data in transit are:

• security and compliance monitoring
• establishment of granular audits while transfer.

Question:  What are two security protocols that should be part of the vendor's data operations? For example, if the data includes PII/SPII information, is adherence to external regulations and guidelines the responsibility of the vendor or your organization

Answer:IPSec – Internet protocol security

• Encapsulates at Layer 3

• Mutual node authentication

• Can authenticate users, but requires L2TP

• Crypto implementation agnostic

• Client-to-client, or node-to-node (bulk)

• Mandatory for IPv6 implementation

• Does not work with NAT, unless NAT-Transversal (NAT-T) is used

GRE – Generic Route Encapsulation

• Encapsulates layer 3 packets in IP tunnel

• Used to secure VPNs

• Creates a virtual point-to-point link with destination

• Supports multicast protocols – IPSec doesn’t!