Outsourcing operations to third-party vendors lets organizations save money and increase operational efficency.
While outsourcing models are good for business operations, they create significant security risks. Based on a study from Opus and the Ponemon Institute, 59% of businesses have experienced a data breach triggered by one of their third-party vendors. These vendors access critical systems and user data, so their security posture becomes equally important.
Today, businesses of all sizes have had to design and implement security baselines for third parties that align with their risk posture. Unfortunately, this creates an impossible condition for vendors and organizations to enforce thousands of different requirements.
To manage this challenge, organizations across the industry teamed up to design Minimum Viable Secure Product (MVSP) — a vendor-neutral security baseline. MVSP intends to eliminate confusion during the procurement, request for proposal, and vendor security assessment processes by creating minimum acceptable security baselines. These minimums range from patch management to staff training, single sign-on requirements and disaster recovery plans. With MVSP, the businesses can increase clarity during each phase so parties on both sides can attain their goals and reduce the onboarding and sales cycle by weeks or even months.
MVSP created and supported by companies across the industry, including Google, Salesforce, Okta, Slack and more. MVSP’s goal is to increase the minimum bar for security across the industry while simplifying the third-party validation process.
MVSP expanded on the idea of an MVP, or Minimum Viable Product. An MVP describes the absolute minimum features and qualities a product must have to be successful. MVSP describes the absolute minimum security checks a product/service must have to be secure. This checks-based system allows vendors and users to ensure security when adopting new tools.
Where can MVSP be used?
There's no single way to use MVSP. Each entity can use it as they see fit and adapt the checklist to their individual needs. Below are three primary use cases:
Requests for proposals (RFP)
A universal baseline for vendor selection simplifies the jobs of the sourcing teams. MVSP is a concise one to include into RFP documents without bloating them. The MVSP checklist part of the RFP process will help people measure a vendor's cybersecurity baselines without complicating the assessment process.
Self assessments
Smaller businesses that are not mature enough to afford extensive compliance efforts, such as SOC 2 or PCI DSS, use MVSP as the baseline to ensure their MVP’s security posture. MVSP being the baseline for cybersecurity maturity will help start-ups and smaller businesses showcase how they are compliant with baseline security guidelines.
Third-party security
Larger companies attempting to triage their vendors’ security posture incorporate MVSP as their universal questionnaire. Security teams, for example, can use it to showcase their adherence to minimum requirements for tools and services upfront, so others know where they stand, and they communicate clear expectations.
How to complete the assessment
The MVSP checklist was designed with simplicity in mind, and the checklist contains only those controls that must be implemented to ensure a minimally viable security posture of a product. The checklist is divided broadly into four sections, as listed below, to capture all layers of security.
1. Business controls
Business controls define the core business aspects of the security, such as compliance against the industry standards, penetration testing, incident handling and more.
2. Application design controls
Application design controls discuss how the application interacts with the user and business processes. Here, the controls include having single sign-on, password policy, logging and more.
3. Application implementation controls
Implementation controls cover how the application is connected with other infrastructure layers. It measures areas like data flow diagrams, sensitive data exposure and time to remediate vulnerabilities.
4. Operational controls
This section covers physical access, logical access and third-party access to organizational data.
Third parties are a massive portion of cyber risk in today’s businesses. MVSP helps establish minimal baseline security that anyone can reference and hopefully find secure solutions to their business problems.
There is a lot of potential in this project. MVSP, an open-source security standard maintained by a working group, is expected to get reviewed often and kept up to date based on how the industry evolves.
Today’s baseline won’t be the same tomorrow, and security professionals must continuously innovate to keep organizations ahead of future threats.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.