Minimum Viable Secure Product (MVSP)
Vendor risk must be a core part of every company’s cybersecurity program, but it is hard.
Especially when the company is a tech company, developing software that you use.
The term Minimum Viable Product or MVP is a term marketing folks have used for years to describe creating a version 1 product that has the minimum set of features that a customer will be willing to use or buy.
Add another letter and you have another acronym to remember – MVSP – Minimum Viable Secure Product. This is YOU defining what you consider the MINIMUM set of security features that you require in order to buy or use a vendor’s product.
With a little work, this could become a standard.
In part, because this MVSP checklist is based on the checklists already used by two small companies named GOOGLE and DROPBOX.
Rather that having to create your own set of “standards”, one has already been created for you based on what Google and Dropbox require of their vendors.
And it is licensed under the Creative Commons 1.0 license (free for any use).
And it will be updated as needed.
Who should use it?
Proposal teams should use it in RFPs.
Anyone can use it for self assessments.
And vendor management teams can use it as their standard vendor cybersecurity questionnaire.
What is in it?
It contains 4 major sections: Business controls, application design controls. application implementation controls and operational controls.
Section 1 contains eight controls, section 2 contains nine controls, section 3 four controls and section 4 contains three controls.
Alternatively, you can create this yourself. I am sure that you will do a better job than Google and Dropbox.
In fairness, you can tweak it for your own needs.
Credit: Helpnet Security