1. Vulnerability Management

Vendor shall implement proactive technical and organizational controls to prevent, detect, and remediate vulnerabilities. Best practices for vulnerability management controls include:

  • Vendor should have a policy and process in place to identify and remediate vulnerabilities in a timely manner. Vulnerability management includes infrastructure, middleware, programming languages, and applications.
  • Applications developed on behalf of customers should be scanned for security vulnerabilities before being released to production or delivered to customers.
  • Vendors should not release any asset (e.g., application, systems) into production with known high or critical security vulnerabilities.
  • Vendors should scan infrastructure and applications for security vulnerabilities every 90 days at a minimum.
  • Vendors should utilize only platforms that are actively maintained and supported by the Original Equipment Manufacturer (OEM). Platforms may include (but are not limited to) operating systems, middleware, applications, servers, network devices, storage devices, and security devices.
  • Vendors should deploy and test all applicable security patches to ensure the patch does not inadvertently introduce operational issues.

Vendor shall implement proactive technical and organizational controls to prevent, detect, and remediate vulnerabilities. Best practices for vulnerability management controls include:

  • Vendor should implement validated patches into the production environment in accordance with the severity and risk of the vulnerability.
  • Patching cycles for security vulnerabilities without compensating controls should be completed no more than 45 days after release by the software vendor for the most critical vulnerabilities.
  • Patching cycles for security vulnerabilities without compensating controls should be completed in no more than 365 days for the medium to low vulnerabilities as defined by the software vendor.

DOWNLOAD FREE EBOOK: The Ultimate Guide to Collaborative Vendor Compliance


2. Change & Release Management

Your vendors should implement documented and maintained processes to consistently apply operational processes such as change and release management, configuration management, availability management and problem management to meet their customer requirements and contractual obligations.

What Should a Vendor’s Change & Release Management Program Look Like?

If a vendor is developing software for customer, it shall have a documented software development lifecycle which includes security requirements (e.g., vulnerability code scanning, threat modeling, security architecture review, penetration test, secure configurations).

Any authorized use of production data in a non-production environment shall either contain obfuscated data or security controls at least as stringent as those in the production environment.

Customer information should only be copied or moved to a non-production environment that complies with these requirements, including the enforcement of access controls based on the need-to-know principle.

Vendor should have documented change management processes which include:

  1. Requirements analysis
  2. Development
  3. Testing
  4. Evaluation of performance and risk
  5. Management approval to move to production
  6. Document status of change
  7. Emergency change process that addresses quick restoration needs if required

3. Configuration Management

Vendor’s configuration management should include the following:

  • Applications that process or transmit customer trade secret information should be configured to log all authentication activity with sufficient information to detect incidents and aid in investigations.
  • Network devices (e.g., intrusion prevention systems, rewalls) should log and alert any unauthorized activity.
  • Log data should be protected against tampering and unauthorized access.
  • Vendors should not include any customer trade secret information in security logs.
  • Systems and applications which process or transmit customer information should have documented baselines for system configurations with appropriate hardening to enhance security.

4. Availability Management

Availability management covers backups and restorations, disaster recovery, and business continuity. Vendor should have an availability management plan which includes all of these functions, and more specifically, the following:

  • Vendor shall maintain a backup strategy and plan to meet customer restoration requirements communicated by customer point of contact. The plan shall include:
    • Backup verification
    • Annual restoration test
    • Protecting backup media from unauthorized disclosure, alteration or destruction through the use of encryption or physical access controls.
  • Vendor shall maintain a disaster recovery plan to meet customer restoration requirements communicated by customer point of contact. The plan shall include:
    • Communication Plan
    • Recovery Time Objective (RTO)
    • Recovery Point Objective (RPO)
    • Annual testing
    • Alternate recovery locations with known high or critical security vulnerabilities.
  • Vendor should maintain a business continuity plan for restoring to its normal business functions within the restoration requirements de ned in the agreement.
  • Vendor should notify customer on high priority or high impact system and service issues that impact customer as de ned in the agreement (e.g., system outage, response time degradation, application interface down).

Note: Customer encryption requirements will apply based on data classification.

5. Problem Management

Vendor should have a problem management process that:

  • Identifies root cause to prevent further problems or issues
  • Posts problem or incident root-cause analysis
  • Develops and implements future preventative measures and controls through appropriate control procedures
  • Retains known occurrences and resolutions that allow for reactive problem management