Highlights –

  • They aim to reduce the need to negotiate security practices with each individual vendor a business uses.
  • MVSP includes a minimum baseline checklist used to verify the security posture of a solution.
  • MVSP comes with a set of baselines to provide a more precise understanding from vendors and obtain faster and more accurate answers.

A consortium of tech companies, including Google, Salesforce, Slack and Okta, have come together to develop a vendor-neutral security baseline, Minimal Viable Security Product (MVSP). The product has been developed for B2B software and business processing outsourcing suppliers. With this, the firms believe that they will be able to “raise the level of security while simplifying the review process.”

MVSP comprises of four main components: Business controls, application design controls, application implementation controls, and operational controls. MVSP developers are of the opinion that using these baselines as a checklist, security teams can bridge the gap in the security of a product or service and explore opportunities for improvement.

Companies had to undergo a tedious process of creating their own security baselines for their vendors, which complicated the process. It became difficult to assemble for organizations and create a byzantine maze of baselines for complying vendors.

The main goal is to minimize the need to negotiate security practices with each individual vendor a business uses. To ensure maximum transparency, baseline requirements would be incorporated in the RFP process.

In sum, the  checklist of requirements covers elements such as frequency of patching, incident handling, password policy and disaster recovery. It is based on an analysis of existing model vendor security contracts used by companies such as Google and Dropbox.

Expert take:

Google vice president of security Royal Hansen said that MVSP was “designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines.”

“With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months,” Hansen added.

“MVSP is a collaborative baseline focused on developing a set of minimum security requirements for business-to-business software and business process outsourcing suppliers. Designed with simplicity in mind, it contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. MVSP is presented in the form of a minimum baseline checklist that can be used to verify the security posture of a solution.”

A Salesforce official said, outsourcing operations to third-party vendors is a double-edged sword. It saves money but grants external access to critical systems and customer data. A recent study showed 59% of companies have experienced a data breach caused by one of their vendors.

“With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months,” he added.