MVSP: A minimum cybersecurity baseline to simplify vendor security assessment

Any organization that’s actively working on managing its cybersecurity risk can’t ignore the risk that goes with third-party vendors having access to its critical systems and customer data.

minimum cybersecurity baseline

“Up until today, organizations of all sizes have had to design and implement their own security baselines for vendors that align with their risk posture. Unfortunately, this creates an impossible situation for vendors and organizations alike as they try to accommodate thousands of different requirements,” says Royal Hansen, VP of security at Google.

Google, Salesforce, Okta, Slack and a number of other companies feel that a better and easier solution would be for all parties to agree on a well-defined baseline that sets out minimum cybersecurity requirements for business-to-business software and business process outsourcing suppliers. So, they designed the Minimum Viable Secure Product (MVSP).

What is Minimum Viable Secure Product (MVSP)?

MVSP is a checklist that lists “only those controls that must, at a minimum, be implemented to ensure a reasonable security posture.”

The controls are grouped in four categories: business, application design, application implementation, and operational controls.

The checklist “mandates” things like enabling customers to test the security of your application; performing annual penetration tests on your systems; complying with relevant industry security standards and local laws and regulations; implementing a specific password policy; using encryption to protect sensitive data and at rest; training developers to prevent specific vulnerabilities; publishing a list of third-party companies with access to customer data on your website; and more.

Using MVSP

MVSP is a vendor-neutral, minimum cybersecurity baseline that can be used by:

  • Procurement teams when gathering information about vendor services
  • Security teams during vendor selection
  • Legal teams to simplify the contract negotiation stage
  • Compliance teams for documenting processes

MVSP “is designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines. With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals, and reduce the onboarding and sales cycle by weeks or even months,” Hansen noted.

It can also come in handy for internal teams, to measure the company’s products or services against minimum requirements and drive improvement.

The MVSP aims to be a practical checklist, specifying checks that can be applied even to small companies. It is also a work in progress, and it is expected to be updated annually based on community feedback.

“We recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement at least [these] controls, and are strongly encouraged to go well beyond them in their security programs,” the designers noted.

Don't miss