Nearly every company shares proprietary information with vendors, or entrusts sensitive customer data to them to store and process. In so doing, you extend to them the responsibility you have to your stakeholders to keep that data secure.
Do you know for sure how well are each of your vendors is upholding that responsibility on your behalf? As cybercriminals increasingly target vendors as a way to attack their customers, and regulators increasingly hold organizations liable for breaches of vendor-controlled data, the importance of managing information security risk associated with your vendors is escalating.
But obviously, some vendors (IT services, payroll/benefits, legal, maybe even your cleaning company) inherently pose more information security risk than others. How do you decide what vendor-related risks are most critical? How can you make sure that vendor risk is monitored and addressed consistently?
That is the job of a vendor risk management policy—the foundation of any vendor risk management (VRM) program, and an area that is often overlooked. According to ISO 27001:2013 section A.15.1:
A.15.1.1 Information security policy for supplier relationships – Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.
How do you get there? A good practice is to start by setting up a company-wide vendor risk ranking system and categorize each vendor within it. Next, for each rank level determine what you need to do to monitor risk, and how often.
Following are ten of the basic steps that many VRM policies across industries should define for “critical” or “high risk” vendors:
- Identify the supplier and the service/product they provide.
- Depict the process flow through which the supplier provides its product or service.
- Identify the types of information being accessed or touched by the supplier.
- Identify the critical control points in that information flow.
- Identify the controls that should be in place to keep the vendor’s business running and maintain confidentiality, integrity and availability (CIA) of your data while it is in their hands.
- Identify how the vendor will continue to provide services to you during a disaster or outage.
- Identify how the vendor will handle incident management where your company is concerned.
- Establish a main point of contact at the vendor.
- Determine how changes to the above will be handled.
- Determine how often the above steps will be re-verified.
Your VRM policy might define more due diligence steps if you’re in a regulated industry like financial services. Do you run background checks on a vendor’s senior management? Do you review their financials? Do you mandate independent penetration testing on a quarterly basis? Whatever is included in your VRM policy should be agreed to by your vendors.
Managing vendor risk is an ongoing process. Having a VRM policy in place ensures that your organization gets the most risk mitigation benefit from its VRM program in the most efficient manner.
To discuss your current VRM posture and next steps, contact Pivot Point Security.