Security News > 2021 > October > MVSP: A minimum cybersecurity baseline to simplify vendor security assessment

Any organization that's actively working on managing its cybersecurity risk can't ignore the risk that goes with third-party vendors having access to its critical systems and customer data.

"Up until today, organizations of all sizes have had to design and implement their own security baselines for vendors that align with their risk posture. Unfortunately, this creates an impossible situation for vendors and organizations alike as they try to accommodate thousands of different requirements," says Royal Hansen, VP of security at Google.

Google, Salesforce, Okta, Slack and a number of other companies feel that a better and easier solution would be for all parties to agree on a well-defined baseline that sets out minimum cybersecurity requirements for business-to-business software and business process outsourcing suppliers.

MVSP is a checklist that lists "Only those controls that must, at a minimum, be implemented to ensure a reasonable security posture."

The checklist "Mandates" things like enabling customers to test the security of your application; performing annual penetration tests on your systems; complying with relevant industry security standards and local laws and regulations; implementing a specific password policy; using encryption to protect sensitive data and at rest; training developers to prevent specific vulnerabilities; publishing a list of third-party companies with access to customer data on your website; and more.

MVSP "Is designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines. With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals, and reduce the onboarding and sales cycle by weeks or even months," Hansen noted.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/Ga2RaV-1Y44/