Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Book Review: Assessing Vendors

samzenpus posted about a year ago | from the read-all-about-it dept.

Books 27

benrothke writes "Every organization has external software, hardware and 3rd-party vendors they have to deal with. In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more. Often the software and hardware solutions are critical to the infrastructure and security of the organization. If the vendors don't have effective information security and privacy controls in place, your data is at risk. In addition, when selecting a product to secure your organization, how do you ensure that you are selecting the correct product? All of this is critical in the event of a breach. When the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors." Keep reading for Ben's review.With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendorsis a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization.

Many large organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement. For those that don't, this 80 page reference is a good place to start.

The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.

While the book has a healthy dose of checklists, it is not about simply filling out the checklists and adding up the totals. Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.

An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process. Too many organizations simply take the vendors word, without performing effective due diligence. Rarely will one find a company where too many questions were asked to the vendor.

Given that the book is only 80 pages, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities. Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.

The main thrust of the first chapter is around preliminary vendor research. It shows how to identify vendors for specific products and build criteria for effective vendor selection.

An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep your needs first in mind. Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary.

One of the topics in chapter 3 is testing confidentiality. When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is. The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.

The book provides a lot of common sense advice that may not be intuitive to many people. One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products. This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets. While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless.

In chapter 4, the book does a good job of showing how to score vendors. It details how you can create questionnaires and use the data to assist in your selection. The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%. More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range.

A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust. If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.

After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation. It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.

Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in. The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.

Selecting a vendor is not a trivial process, and it not intuitive to many organizations. Given the breadth of the topic, the book is a great place to start your work on this important process.

The book doesn't claim to be an all-inclusive resource for the topic. And at 80 pages, one should not expect it to be.

But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.

Reviewed by Ben Rothke.

You can purchase Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

NSA should buy one (0, Offtopic)

Anonymous Coward | about a year ago | (#44242221)

NSA guys should definitely buy a copy

Re:NSA should buy one (1)

Viewsonic (584922) | about a year ago | (#44243845)

There aren't any "NSA" guys. There are contractors contracted out by other contractors run by contractors.

Re:NSA should buy one (1)

Steve_Ussler (2941703) | about a year ago | (#44249299)

Not true. While there are tons of contractors there; there majority of NSA staff are full time employees.

Re:NSA should buy one (1)

Steve_Ussler (2941703) | about a year ago | (#44249289)

Especially since they won't be buying a copy at Defcon :)

what about cutting the PHB out of the loop (1)

Joe_Dragon (2206452) | about a year ago | (#44242279)

what about cutting the PHB out of the loop or giving the IT staff some say.

Some time they just get some vendor dumped on them and the PHB says make this software work.

Re:what about cutting the PHB out of the loop (1)

Steve_Ussler (2941703) | about a year ago | (#44242321)

Ok...what is PHB?

Re:what about cutting the PHB out of the loop (2)

h4rr4r (612664) | about a year ago | (#44242357)

Re:what about cutting the PHB out of the loop (1)

Steve_Ussler (2941703) | about a year ago | (#44242395)

thanks... now I know that dilbert reference.

Re:what about cutting the PHB out of the loop (1)

h4rr4r (612664) | about a year ago | (#44242429)

You asked. If you did not want to know don't ask.

In this situation the GP clearly meant a boss like that one, since they are pretty common.

Re:what about cutting the PHB out of the loop (1)

Steve_Ussler (2941703) | about a year ago | (#44242565)

i think u misunderstood my reply.

Wait, what? (2)

sunderland56 (621843) | about a year ago | (#44242295)

You mean I can't just pick whichever vendor brings the best hookers and drugs any more?

Re:Wait, what? (0)

Anonymous Coward | about a year ago | (#44242659)

Third party software = India

Re:Wait, what? (1)

Steve_Ussler (2941703) | about a year ago | (#44243893)

Dependslot of sw is not written in India.

open FW only for selected IP's (1)

alen (225700) | about a year ago | (#44242427)

have the vendors give you the IP they are coming from
create a FW rule for those IP's only for specified ports and only to the IP's they need to access

if a vendor can't give you a static IP then they are probably amateurs or a fly by night shop and risky to deal with

Re:open FW only for selected IP's (1)

h4rr4r (612664) | about a year ago | (#44242449)

That seems like one option, but I still can't figure out why you would even do that.

Vendors sell you stuff, why do they need to see your network? Can't your employees give the vendor the data they need?

Re:open FW only for selected IP's (1)

alen (225700) | about a year ago | (#44242717)

support or general data transfer
we have vendors where our apps send data to their applications via dedicated circuits and vice versa

Re:open FW only for selected IP's (1)

h4rr4r (612664) | about a year ago | (#44242881)

That all sounds like you let them access to just what they need over just those circuits or IPs.

Re:open FW only for selected IP's (1)

manu0601 (2221348) | about a year ago | (#44246387)

have the vendors give you the IP they are coming from create a FW rule for those IP's

That will not help if vendor gets infected. Restricting target ports helps, but the vendor probably have the ability to modify the application, which runs on a machine inside your network. Therefore that machine should probably be confined without ability to initiate communications to anywhere

That's hot! (0)

Anonymous Coward | about a year ago | (#44242541)

There's nothing like ass essing vendors.

I need to write a book (0)

Anonymous Coward | about a year ago | (#44242783)

"How to be a successful 3rd-party vendor for an organization."

1) Org will send you lots of paperwork and questionnaires. Just fill it out and give them what they want to hear.
2) Many organizations let the vendors drive the process, and in turn, ensure that your needs are made primary.
3) Never negotiate the NDA. Who does the Org think they are?

abridged version: (0)

Anonymous Coward | about a year ago | (#44243415)

they're lying!

saved you some time/you're welcome!

Re:abridged version: (1)

Steve_Ussler (2941703) | about a year ago | (#44243631)

Love it! :)

Why not just link that review (0)

Anonymous Coward | about a year ago | (#44244833)

here [amazon.com]

Wait, also here [rsaconference.com]

Re:Why not just link that review (0)

Anonymous Coward | about a year ago | (#44245361)

isnt linking good?

Re:Why not just link that review (0)

Anonymous Coward | about a year ago | (#44245903)

Thank You.

Our firm blocks Slashdot, so I can share those sites which are white-listed.

Vendor Selection...? (0)

Anonymous Coward | about a year ago | (#44249077)

I was going to buy this book, but I don't know what I think about Amazon :-(

Assessing the best vendors... (1)

whitroth (9367) | about a year ago | (#44253317)

Well, you could actually talk to others who you feel have a fair amount of credibility.

For example, almost all our servers (> 150) are from Sun (a very few), Penguin (a lot) and Dell (a lot). We decided several years ago to work to keep anyone from buying Sun/Oracle again.[1] A year or so ago, we decided we really didn't want Penguin any more.[2] I have not-wonderful opinions of HP[3], except for their laser printers.

Or third party vendors: these folks are Approved! (Yeah, but their website is user hostile, and I can't find what we need.)

Then there was Amazon. I was looking to buy a large batch of the new WD Red 3TB drives. Amazon had a really good price on them, and I needed to call, to find out if we could buy a batch (the page said limit 4). I got a woman who was neither in the US, nor spoke English as a first language, who kept repeating what I could read on Amazon's page, who clearly had *never* dealt with a company, only individual buyers, and literally didn't seem to understand me when I said I was with the US federal gov't. Oh, and when she brought the page up, for some reason it showed the drive with the cover plate removed, and the platters visible... and she asked *me* what it was, if it was a movie player. I gave up in frustration. My manager, who'd heard the end of that, suggested I call the sales manager for us that we'd worked with before. *She* knew her job, understood me the first time, and I had a really good quote, almost as good as Amazon's limited time offer, the next day.

When you find someone who actually knows their job, and their market, those are the folks you want to deal with.

1. I refer to dealing with Sun/Oracle "tech support" as self-abuse, after spending a month to finally get an FE out to replace a m/b and some other stuff, and that included two weeks of exchanging email with an engineer in Chile....
2. Penguin's all Supermicro, and Supermicro has *real* problems, if not an actual lack of understanding, of the words "quality control". Penguin's tech support's ok, but....
3. Very hard to find updates for older systems, very much similar to Sun/Oracle's We Want To Pwn You attitude.

                  mark

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?