Last Updated on January 24, 2019
In today’s evolving business landscape, there is huge potential for growth and cost savings by partnering with vendors or outsourcing non-core parts of your business. But outsourcing often requires sharing sensitive data (e.g., payroll or customer data) and/or providing access to critical applications.
With all of the recent data breaches attributable to vendors, managing your organization’s outsourcing risk is more important than ever before. How can you be sure that a vendor is upholding the responsibility that you have extended to them to keep your data and premises secure?
This quick, 3-step guidance on managing outsourcing risk will help your organization address key InfoSec concerns associated with outsourcing.
Step 1: Create a vendor risk management policy based on your risk appetite.
Understanding your organization’s appetite for risk is the first step in managing outsourcing risk. Risk appetite is a balance of threat versus opportunity. It’s different for every company, and industry, culture, and business needs all play a role.
How much risk is your company willing to accept to meet strategic objectives? For example, if you implement a “bring your own device” (BYOD) program to help increase productivity, can you accept any associated data security risks? If you’re a credit union versus a food manufacturer, the answer might be very different.
Once you’ve measured and defined your level of risk appetite, you should document it within policies and standards that are approved by senior management. A vendor risk management (VRM) policy will help you define which vendor-related risks are most critical to mitigate, and ensure that vendor risk is consistently monitored and addressed. Having a policy in place is also key to getting vendors to agree to risk-related responsibilities, requirements, and procedures.
PPS Expert Perspective:
“Possibly the most practical benefit of having a VRM policy is it makes it simple to deny/approve new vendor relationships. Standing in the way of on-boarding a key vendor is a tough place to be. It’s better to have everyone blame an agreed upon document for holding up signing on a new vendor than blame you.” —Jeremy Sporn
Step 2: Classify your vendors according to the risk level they present.
Identifying and classifying your vendor population is the next step in the VRM process. After identifying who your vendors are, conducting thorough vendor risk assessments will help illustrate the data security risks associated with each vendor and offer further guidance on managing outsourcing risk.
Some questions to ask as part of the VRM process include:
- What types of data does the vendor access or process?
- What InfoSec controls should the vendor have in place to maintain the confidentiality, integrity and availability of your data while it’s under their control?
- What are the vendor’s responsibilities in the event of a data breach or other data security incident?
- What is the process for verifying compliance with your InfoSec requirements, and for negotiating changes to related agreements?
Some vendors might need more or different questions than others.
Once you’ve assessed your vendors (or at least the key ones), it’s very important to assign a risk score to each vendor. Because they generally have fewer vendors than enterprises, many SMBs will know “intuitively” which vendors pose the greatest risk, based on the data and systems they have access to.
Keep the scoring simple. You probably don’t need a lot of categories, especially if you don’t have that many vendors. Some companies start out with just a “Go/No-Go” scoring process to separate vendor relationships that need attention versus those that are OK as-is for now.
Step 3: Monitor vendor risk.
Last but not least, monitoring vendor activity through public alerts or regular reviews will help you identify new or emerging outsourcing risks. Bigger companies often invest in vendor monitoring tools or services to keep tabs on vendors’ financial status, legal status, social media activity, etc. in between vendor reviews. SMBs can leverage low-cost or free tools like Google Alerts, Social Mentions, Dun & Bradstreet data and so on to monitor changes to highest-risk vendors that might impact your firm.
Managing the InfoSec risk associated with outsourcing can help identify and reduce financial, regulatory/compliance, reputational and supply chain risk, strengthen vendor relationships and improve business performance in the long run. Your VRM policy, classification system and monitoring process can all be “moving targets” that you improve as you gain experience and see benefits.
To get additional guidance on managing outsourcing risk, or to jump-start a VRM program for your business, contact Pivot Point Security.