In today's business climate, using vendors or third-party service providers is no longer a luxury, it has become a necessity. Organizations "outsource" key business functions every day for many reasons, some of which include:
I recently wrote a blog post that discussed legislation in the State of New York that is set to take effect on January 1, 2017. This legislation will effect all financial institutions in the state around Cybersecurity and the development of a formal Cybersecurity program. Click here to review that post as it provides a good overview of the requirements for financial institutions as well as links to documents with even more information.
One thing that I didn't cover in that post, hence this post, are the impacts that this legislation will have on vendors of financial institutions in New York. In the proposed legislation, there is an entire section devoted to each institution having a "Third Party Information Security Policy.”
When it comes to technology, we hear of terms that are often times confused and interchanged. Some examples of these terms might include Vulnerability Scanning and Penetration Testing. Another example might be the age old debate of Risk Assessment versus Audit. While seemingly similar on the surface, there are in fact significant differences. The same holds true with a topic that I have discussed on this blog recently in reference to the FFIEC Guidance on the Management IT Booklet. The terms that I am referring to are “update” and “revision.” While seemingly similar, they are in fact quite different.
Vendor Management is a term that is thrown around all the time, but what does it really mean? If we look at it on the surface, it is a method for managing your vendors and third party service providers. That's a little obvious of course, but let's look at the definition of Vendor Management from Gartner to see what they have to say about it: