3PS

Narrator:

Let me first introduce our stakeholders/presenters for today’s session.

Sourcing – Shruti

Sourcing is the team who connects with the RM and helps initiate the 3PS assessment on the vendor

RM - Sai Priya

RM is the project manager who is leveraging the vendors’ service for his project requirement

Audit - Dinesh & Ruchik

The audit team.

Security Lead – Rahul

The reporting team for the audit team who reviews and approves the vendor assessment.

Vendor - Sugandh

The vendor who provides the services and undergoes the 3PS assessment.

So now, a 3PS assessment is conducted on the vendor who is providing service to its customer(here,
represented by the PM). It is a security assessment which ensures that the vendor who in turn gets
access to its customers sensitive/confidential information have necessary provisions in place to
safeguard those data.

Here’s the backstory:

We have a company called “Gummybear Inc” that manufactures yummy gummy bear candies. This
company wants to create an online portal for selling its yummy candies. Now they have identified a
vendor “SugandhSites” who can help create a website for Gummybear Inc.

Now, before Dinesh begins providing service to Gummybear, he needs to undergo a 3PS assessment
based on assessment criteria defined by Gummybear --- -> this will be elaborated more by the audit
team during their discussion.

So now, lets begin with the 3PS process:

Stage 1: Sourcing Team to connect with the PM from GB to help initiate the 3PS assessment

Sourcing Team - Shruti: Hello Sai Priya, it came to our attention that you are going to perform
business with Vendor – Dinesh for your project. As we can see, there is a potential case of the
vendor getting access to our sensitive information, I would like to suggest you to initiate a 3PS
assessment on the vendor and ensure it’s completion. Once the 3PS assessment is completed, you
may proceed with doing business with the vendor.
PM – But may I know why is 3PS assessment required?

Sourcing - As you know we want to make sure that the vendor has proper security protocols in place
to handle and safeguard our company data. This is ensured by conducting a 3PS assessment on the
vendor which contains series of security controls to address the security check.

PM – So how do I proceed with this assessment?

Sourcing - you may go ahead and connect with the Audit team, they will guide you on this process.

Narrative – so as you can see, the sourcing team have explained the need of a 3ps assessment to the
project manager. Now lets move on to the next segment where the PM reaches out to the audit
team and initiates the 3PS assessment.

Stage 2: PM will connect with 3PS audit team to onboard a vendor. RM onboards the vendor.

PM – hello Team, I am a project manager and I would like to initiate a 3PS assessment on Vendor –
Dinesh. Could you please help me with this

Introduction

Audit – Definitely! Please brief us the vendor scope of service so that we can assist you exactly on
the 3PS requirement.

PM – Sure! Vendor – Dinesh is helping us to create a e-commerce website to help sell our gummy
bear products.

Audit – so will this include online payment for the customers as well?

PM – Definitely!

Audit – Also does the Vendor manage the website once it is developed? Where is the webserver
located?

PM – yes, since the vendor developed it, we would want the same vendor to help maintain the
website as well. The webserver is located within Sugandh’s premises.

Audit – Sure! One more question, will the vendor personnel require access to our office?

PM – yes, a member of the vendor team needs access to our office. This is to take the requirements
from me in person.

Audit – One final question! Will the website also store the customer data?

PM – Yes it stores the customer personal information, in case the customer would like to reuse them
for future purpose – like email addresses, phone numbers, etc. Also, this website is focussed mostly
towards European customers.

drop
Audit – Perfect! You may log into our 3PS tool and log in these information. Once you are done filling
the 3PS form, please submit back to us and we will begin with the assessment with the vendor.

PM – Sure! Will do!

Narrative: As we can see, the audit team mostly focussed towards understanding the vendor scope
of service. Now lets see, how they translate this information to a 3PS assessment :

Stage 3: Audit team defines the assessment scope based on the Vendor scope of service:

Dinesh: Hey Ruchik, we have received a new 3PS request on vendor request . Let me quickly brief
you the scope.

Ruchik: Sure, lets understand that and accordingly we can figure out the assessment scope for this
vendor

Dinesh: The vendor basically develops and maintains a website for Gummybear for selling its
products. Here the website server is located in the vendor side and is targeting customers from the
EU region, also store their PII data. This site also deals with online transaction wherein the
customers purchase any products they like. Also to add, the vendor personnel requires access to
Gummybear’s premises

Ruchik: Ahh, I see! So I can understand these domains are supposed to be considered for
assessment:

 Network Security
 Data Center
 Software development
 Incident Management
 Vul management
 GDPR and Data privacy
 Physical access
 PCI DSS

Dinesh: But here is one thing, we are still not covering an important aspect. What if this website
server crashes for a brief period. Imagine a site like Google that crashed recently, I no longer trust
any website server to remain stable going forward.

Ruchik: Great Point, let us also include the BCDR(Busniness continuity and disaster recovery)
controls, especially we need to ensure that the vendor has secondary server to host the site incase
the primary server crashes.

Dinesh: yes , let us add that as well. Fine then, since we have figured out the assessment scope, let
us get it reviewed with our Security Lead scope of assessment and send it across to the vendor for
self assessment once approved.

Narrator: the Seucirty lead reviews the audit scope for the vendor and approved it for assessment.

Now , lets look into the assessment stage.

 Stage 4: Vendor begins self assessmsnet. Audit team review the assessment information and creates
issues/gaps

Vendor – hmm, I can see that I have received some assessment request form 3PS audit team. It
seems like a lot of questions I need to respond to. Wait, they all appear to be some form of security
based questions. Let me try to respond to these questions and close it asap.

Narrator: So the vendor provides response to the assessment questions and submits back to the
Audit team for review. Note that these assessment questions are basically yes/no questions. Now,
the Audit team starts reviews all the questions one by one. For any of the responses provided by the
vendor, if the audit team finds that the response provided is not adequate, they will create a
gap/issue against the vendor.

Stage 5: Vendor works on remediation plan and closes the issues.

Narrator: The audit team have create few issues on this assessment and have sent it to the vendor
for further action. Lets see, what these issues are:

Vendor- hmm, I can now see that there are some issues created against my responses. I do not
believe I need to fix them as this is not part of my deliverables. Let me update the Audit team saying
that I cannot work on this as my team has other activities to take care of.

Vendor – Hello Audit Team. As I can see there are a few issues created against my assessment. I
would like to discuss with you further on them.

Audit – sure, we can go through them and perhaps can also guide you.

Vendor -

 Vendor – I can see an issue raised against my response to question on PCI DSS. It says “do
you have an Encryption mechanism in place to protect and transmit cardholder data
across open, public networks.” I have responded to it as a No.
 Audit: yes since the website developed by you will be using customer’s card details, we need
to ensure that we have sufficient encryption mechanisms in place to protect the card holder data so
that it cannot be accessed by any external source.for eg – you can have these encryption
mechanisms in place - AES – 128 bits or higher, TDES/TDEA – triple-length keys.
 Vendor - But to have these encryptions in place might take a lot of effort and time from us. I
do not think I will be in a position to provide with a remedy.
 Audit – well, we need to ensure that the gaps are fixed on a priority so that we
do not compromise on the customer data going forward. Also, we would like to
encourage you to have these gaps addressed and remediated within the timelines so
as to ensure that Gummybear continues doing business with you. In case you do not
adhere to Gummybear’s security protocols and have them implemented in your
system, then Gummybear will have adequate rights to terminate the contract with
you owing to security risks.
 Vendor – hmm, looks like a lot of work on our side, but yeah! We also need to
ensure that we have proper security measures in place. Sure, we will try fixing these
gaps and update you once it is remediated.
 Audit: sure, that sounds great, also we would like to update you that in case
you are not able to achieve this within the timelines, you can propose a new timeline
to have a gaps remediated, but please make sure that these are countersigned by
an authorized personnel involved in contractual agreement
 Vendor – noted! And thanks much for the clarification.

Narrator: The vendor provides with remediation plan and has them implemented.
The Audit team are satisfied with it and would like to go ahead and close the
assessment since there are no open gaps/issues. In order to do this, they send the
final assessment report to the Security lead. Lets find out how this works out:

Stage 6: Security Lead reviews the assessment and closes it.

Security Lead: hey team, okay I have received the final assessment report. I have
reviewed it and can see there the issues created have been closed. However, please
help clarify on this: have you collected all the evidences for the issues created
against the vendor?
Audit Team: Yes we have collected all the necessary evidence, however, we have
not updated them yet in the assessment report.
Security Lead: it is always a good practice to have the evidence updated in the
assessment report. Since we would require them for any reverification purpose later.
Also any important mail communications with the vendor, pertaining to the
assessment, please have them all included in the report as well.

Audit : Yes sure! We will have them added.

Security Lead: Good. Once they are updated, I will go ahead and close this
assessment.

Narrator: Once the assessment is closed, notifications are sent to all the concerned stakeholders.

Shruti – Ahh! It seems like everything is in place now, so now we are good to proceed with the
business!

Rahul – Man! It feels good to get the security assessment completed for my Vendor. Cheers!

Audit – Yo Dinesh! Hey Ruchik! Dinesh – dude the assessment has successfully been closed. One
more assessment added to the completion list! Ruchik – yea congrats man, to me as well!
Security Lead – Finally my audit team did a good job. Im proud of you guys!

Sugandh – Ohh man! I am so relieved that the assessment is successfully completeda. Atleast I got to
understand the importance of a security assessment and getting them implemented in my
organization. Great stuff!

Narrator: So this pretty much covers a standard 3PS assessment. Here, the vendor
scope of service was used to define the assessment controls. Also the Vendor,
although was not willing to fix the gaps, were educated by the Audit team on the
importance as well as the consequence of not adhereing to it.
Hope this session was able to give you all a good understanding on the basic
process of a 3PS assessment. In case you found it informative and would like to
have more such sessions going forward, especially focussing towards different
scenarios encountered in 3PS, please do vote and we will try to make it happen.