In today's business climate, using vendors or third-party service providers is no longer a luxury, it has become a necessity. Organizations "outsource" key business functions every day for many reasons, some of which include:
- Return on Investment
However, with great reward comes great risk, especially in today’s world of Information Security. Managing vendors isn't enough anymore. Having a strong vendor management program is essential, but it is the starting point, not the end game. Today, it is essential to know the vendors your company uses. But what does knowing vendors actually mean? Obviously, your vendors were not chosen without doing some homework in the first place. As a potential partner, their references were checked and insurance was verified so if there is a problem, all your bases are covered. While those are all awesome things to do when establishing the relationship, digging deeper is necessary by conducting some due diligence to get the full picture. But before we talk about what that due diligence looks like, an important point must be stressed:
Due diligence on vendors should be happening on at least an annual basis!
Business changes and vendors change in how they conduct provided services. Vendors may go through difficult times which impacts their level of service or the security of their systems. Business changes quickly and changes in your vendor's circumstances can have a significant impact on your business! Here are some tips on how to better know your vendor:
- Assign them a risk rating - How critical is a specific vendor to your organization? If they were to suffer a breach and/or lose the information that you entrust them with, what impact would that have on your organization? Find out if they are High, Medium, or Low risk so you can plan on how to manage them.
- Based on that risk rating, perform risk assessments as needed - Do you have several high-risk vendors? If so, you need to make sure to assess their performance and their business practices more often than your low risk vendors.
- Get Financials Yearly - Want to know how your vendor is doing? Look at their financials. For publicly traded companies this is a bit easier than for private companies. But, obtain the financials and review them for any areas of concern (revenue drops, net income drops, large increases in liabilities, etc.)
- FIND OUT WHAT THEY ARE DOING TO KEEP YOUR INFORMATION SECURE - There is a reason that I typed this one in all caps. No, I am not yelling at you (maybe I am) but this is important. Do they have a SOC 2 in place? How often do they conduct vulnerability assessments and penetration testing? If they are a cloud service provider, do they conduct application penetration testing? If you ask and they aren’t sure what they are doing regarding IT Security or don't want to share it with you, that is a HUGE red flag. Also, you should request this information at least yearly, more often for high risk vendors.
Knowing your vendors is more than signing a contract and checking references one time. As the business climate changes, your needs and your vendor's responses to those changing needs change as well. In addition, many Federal, State, and Industry regulations are focusing on how companies manage vendors to mitigate risk (you can thank Target for that).
Next week, Compass IT Compliance’s February webinar will be on the topic of getting to know your vendors and why this is so important. This 30-minute webinar will cover the items above in greater detail and provide you with some practical examples of how to get to know your vendors. Details are below. We look forward to seeing you next week!
Know Thy Vendor Webinar
No Comments Yet
Let us know what you think