Book Review: Assessing Vendors

Assessing Vendors: A Hands-On Guide to Assessing InfoSec and IT Vendors

by Josh More
Publisher: Syngress
ISBN: 978-0124096073
Number of Pages: 95
Date Published: May 10, 2013 


As I've noted in several previous blog posts, I believe the concept of Vendor Management is one of the weaker links in the security chain at many organizations.  While this book doesn't necessarily show you everything you need to know to fix this problem, it does provide solid advice on proper due diligence for selecting vendors and products that you want to build a relationship with.

Josh More lays out a very practical framework for finding vendors that provide technology (products and/or services) that address the needs of your situation.  More's Vendor Assessment process contains nine phases to help those responsible for evaluating and recommending solutions in Information Technology and InfoSec.  The process is designed to help these individuals in fairly and quickly evaluating vendors, understanding how the vendor/sales atmosphere operates, and getting more value out of vendor contracts.

One of the biggest lessons I got out of the book was in properly defining the criteria used to assess and compare various solutions.  By selecting specific criteria to measure each vendor, you are ensuring a fair and systematic evaluation so that the final decision can be based on a true apples to apples comparison and backed up with data.  On page 17, More provides some great advice for deciding how many different criteria should be used in this process:

The limit is going to be the number of dimensions that you can hold in your head at any given time.  This way, as you assess systems, you don't have to bounce between modes of thinking too much.  This process, called "context shift," is a very common source of time loss when doing analyses.  If you are running down a large list for each candidate, you have to constantly change your mode of thinking and every time you do, it will cost you a little bit of time.  If your list is too short, you will be losing time thing of real-world scenarios that could be concerning but cannot be captured in your limited system. 

More provides several examples to address this issue, ranging from the C-I-A triad to the CISSP 10 Domains.  But I really liked the reference to the Parkerian Hexad on page 18, which is a short enough list to easily remember, but comprehensive enough to cover the majority of vendor/product assessments you will run into.

1. Availability
2. Possession/Control
3. Confidentiality
4. Utility
5. Integrity
6. Authenticity
   

I have to admit, this isn't the most exciting IT book out there, but I'm glad I read through it.  All in all, this one is a quick read weighing in at just under 100 pages, but sheds some light on what can sometimes be a very ad-hoc selection and purchasing process.