A good third party risk management is required by UE Act DORA (Digital Operational Resilience Act). Third party risk management is one of the pillars of DORA.
How do we manage the risk of the third parties regarding Toqio?
- ONE TIME OFF: Before starting the integration work, an evaluation of the security measures implemented by you as an integrator should be made by Toqio. This is done by asking you a series of questions regarding the security measures (technical, procedural and compliance) and, depending on the answers, a risk level will be assessed. You will need to answer the questions in writing and provide evidence of compliance. The questions and evidence to be provided are defined by Toqio. The more questions are answered with “Yes” the lower is the risk of your integration with Toqio. Find below an exmple of the questionnaire you must fulfil:
| Code | Question | Answer (Yes/No) | Procedure | Evidence |
|---|---|---|---|---|
| 1 | Does the vendor have a Information Security Policy? | Developing and reviewing a information security policy outlining information security guidelines. | Vendor must provide Information Security Policy (What the vendor can show without compromising his confidentiality) | |
| 2 | Does the vendor have an Incident Management Plan/Procedure? | Developing an incident management plan to define incident types, roles and responsibilities, implementing tools and processes to detect and identify security incidents, taking steps to isolate and contain incidents, eliminating the cause of incidents and analising incidents to identify lessons learned. | Vendor should provide Incident Management Procedure (What the vendor can show without compromising his confidentiality) | |
| 3 | Is the vendor ISO 27001 certified? | Establishing effective policies and controls required by the ISO 27001standard and implementing an ISMS to protect the information and assets from cyber threats, data breaches, and other security risks. | Vendor´s ISO 27001 certificate | |
| 4 | Does the integrator manage personal information? | In the case the integrator manages personal information should be GDPR compliant and implements security measures to protect it. | Vendor must confirm what kind of personal information is managing. | |
| 4.a | Vendor servers are inside UE? | To be GDPR compliant integrators servers must be placed inside UE. | Vendor must show servers location | |
| 4.b | Is the vendor GDPR compliant? | Implementing data protection policies and procedures and ensure the security of personal data through technical and organisational measures. | The vendor must explain how GDPR compliance is achieved. | |
| 5 | Are the integrator's communications encrypted? | Ensuring applications connections are encrypted by implementing HTTPS with SSL/TLS certificates, using strong encryption protocols for data transmission and storage, and regularly updating security measures to protect against vulnerabilities. | Vendor must provide encryption policy documentation and evidence of compliance. | |
| 6 | Is the integrator's data at rest encrypted? | Implementing strong encryption standards and secure key management practices according to established policies and procedures.Using encryption at rest helps maintain the confidentiality and integrity of the information. | Vendor can demonstrate their use of data at rest encryption by providing documentation of encryption policies, technical configurations utilizing strong encryption methods compliance with relevant standards, audit reports, and secure encryption key management practices. | |
| 7 | Does the integrator have users management policy? | Implementing user authentication mechanisms that verify and manage individual user identities securely. A good user management policy is essential because successful attacks are often due to credential theft. | Vendor must show documentation and practices about user access, permissions, and data handling within their systems. | |
| 8 | Does the vendor’s have a business continuity and disaster recovery plan? | Ensuring these plans are regularly tested and updated. | Vendor must show up-to date documentation of both the BCP and DRP. Also include policies and procedures. | |
| 9 | Does the vendor’s have security training programs for employees? | Ensuring regular training and updates on security best practices. | Vendor should provide training policy documents to show the company´s security training . Also maintain training completion records | |
| 10 | Does the vendor´s perform regular penetration testing on the software? | Identifying and mitigating security weaknesses. | Vendor must provide penetration testing reports including: dates, scope of the penetration test, methodology, identified vulnerabilities and a remediation plan. | |
| 11 | How the vendor manages their own vendors and subcontractors? | Ensuring ongoing third party good practices. | Vendor must provide vendor contracts, vendor risk assessments and vendor performance monitoring. | |
| 12 | Does the vendor perform data backups and are these securely stored? | Ensuring data backups are done regularly | Vendor must show backup policy documentation, backup logs and reports, backup verification procedures and offsite backup storage if needed. | |
| 13 | Is the vendor ensuring secure coding practices? | Implementing a secure coding policy, providing developers with training on secure coding, using code analysis tools. | Vendor must provide secure coding policy, records demonstrating that developers have received training on secure best practices and also the use of code analysis tools to identify potential vulnerabilities. | |
| 14 | Is the vendor ensuring regular vulnerability scanning? | Implementing robust security policies, configuring systems to monitor and block unauthorised access and threats, and regularly updating their defends against evolving cyber threats. | Vendor must provide documentation outlining types of firewalls, IDPs and IDS systems, also configuration policies and log files and reports. | |
| 15 | Is the vendor ensuring regular vulnerability scanning? | Developing a vulnerability Scanning policy, using scanning tools, scheduling regular scans, analysing scan results, remediating identified vulnerabilities and maintaining records of vulnerability scans and remediation actions taken. | Vendor must show vulnerability scanning policy, vulnerability scanning reports and vulnerability remediation records. | |
| 16 | Is the vendor ensuring an appropiate application of security patches and updates? | Creating a patch management policy, using patch management tools, conducting regular vulnerability scans, deployment approved patches and monitoring it, maintaining records of patch deployments. | Vendor must show patch management policy, patch management records, vulnerability scanning records and ensure their IT team has the knowledge and resources to effectively manage the patch management process. | |
| 17 | Does the vendor implement network segmentation? | Assessing network assets, defining security zones, designing a segmentation strategy using VLANs and firewalls, implementing the configuration, testing for proper isolation and access controls, monitoring for anomalies, and maintaining documentation and policies. | Vendor must provide documentation of segmented VLAN configurations, access control policies, and monitoring reports validating effective isolation and security measures. |
- YEARLY: Once you are integrating with Toqio, the same or similar security questionnaire will be passed annually and you will have to update the answers and evidence. In addition, depending on the integration and the legal requirements, a formal risk assessment (annually) could be required in order to accurately evaluate the risk of the integrating regarding Toqio. This formal risk assessment should be performed under a standard framework (Magerit, Octave, NIST, etc.) and it should be done by you and share the results with Toqio, as we have to do a formal risk assessment every year and show it to, for example, the PCI auditor. In fact, some of the questions in the questionnaire will be of the type “Have you performed a formal risk assessment of your company?” , “Is the risk assessment performed annually?”, evidence: risk assessment document.
- Toqio will keep a history of all these documents, as evidence to be shown in audits if needed.