Autodesk has an Information Security Policy. All employees have to review the policy annually and acknowledge that they have reviewed it. This applies to everyone — not just employees who develop our products and services. In addition to having everyone review the policy, the Information Security, Risk and Controls (ISRC) team conducts lunchtime lectures where they cover security-related topics. The other day, rather than go out to lunch, I attended one related to third-party security.
Audrey Nahrvar is an Information Security Engineer. James Hong is a Senior Program Manager. Their presentation was entitled "Third Party Information Security: Autodesk’s Approach."
Here are the nuggets of information I walked away with.
-
As the name suggests, third parties are providers that Autodesk relies on. In terms of solutions, the customer is the first party, Autodesk is the second party, and the vendor is the third party. Risk is exposure to danger, harm, or loss.
-
Third-party security is important for Autodesk because ensuring our own software is not enough. We must ensure that every part of a solution protects our customers' personally identifiable information as well as their intellectual property.
-
ISRC has a comprehensive process for assessing our third parties' security posture. The process includes cross-division collaboration (particularly with our Procure to Pay team), thorough questionnaires, and high-touch due diligence.
-
The process is based on established policies and standards.
-
Each third party is evaluated on a case-by-case basis.
This includes:
- The scope of the arrangement between Autodesk and the third party:
- What data will be created, processed, stored, accessed, or transmitted by the vendor.
- The criticality of the information that the vendor will be handling as well as the Autodesk product or service that relies on the third party.
- Completion of a 70-question questionnaire by the Autodesk team that is working with the third-party.
- Evaluation of the third-party's current security practices by the ISRC team based on the ISO 27001 (International Standards Organization), CSA (Cloud Security Alliance), NIST (National Institute of Standards and Technology), and Cybersecurity frameworks.
- Completion of a 240-question questionnaire by the third-party that covers 16 areas of security.
- The scope of the arrangement between Autodesk and the third party:
-
As part of the process, ISRC reviews documentation supplied by the third-party such as:
- Security Operations Center reports
- Compliance proof (ISO, PCI (Payment Card Industry), etc.)
- Penetration tests
- Vulnerability scans
- Network diagrams
- Data flow diagrams
- Information security policy
- Incident response policy
Based on this documentation, ISRC conducts follow-up discussions with the vendor’s security team and conducts technical assessments as necessary.
-
ISRC creates an executive summary that combines all information and findings from the review and highlights any risks and recommendations. ISRC has zipped folders per vendor with all the documentation that was collected during the review. The executive summary is the ultimate end-product of the process, so that employees don't need to filter through all the raw information.
The executive summary serves as the "go to" document that is checked first in the event that there is a possible incident that needs to be investigated.
Thanks, Audrey and James.
So Autodesk continues to diligently work to protect the assets of its customers via internal processes that evaluate our own pieces of the solution and pieces that we obtain via our partners.
Third-party security evaluation is alive in the lab.