Vendor Management Programs to Prevent Data Disasters

CJ Hurd
Oct 23, 2019 1:00:00 PM

If you’ve read any of my prior blog posts, you will know that my background prior to joining Compass IT Compliance included 21 active duty years in the United States Coast Guard. I seem to talk about it quite a bit. One of the perks, depending on where they are sending you, is getting to move around and live in different parts of the country. One drawback is that you’re moving so often that just when you get settled somewhere, it is time to go again. My family and I had 9 changes of station resulting in 7 moves over those 21 years.

One area you become proficient in when moving so often is choosing between different service providers, such as cable, internet, electric, trash pickup, etc. With every new location, my wife and I would sit down and go through pricing options to compare each price with the service offered. For example, I really enjoy DirecTV’s cable service because it includes the NFL Ticket. Of course, this comes with a greater cost. There is another variable to add to it; will we be able to have the satellite dish low enough that I could reach it during a snowstorm? Sounds weird, right?

Quick story… when I lived in Michigan, my satellite dish was on the roof. In case you didn’t know, it snows a ton in the upper peninsula of Michigan! The snow would stick to the dish and interrupt satellite service at the worst times. So, I would be out in the yard during a snowstorm throwing stuff at the dish trying to get the snow to fall off. This all played a factor in which service we would select. We were evaluating the risk vs. costs associated with the service we were interested in. I strongly believe in the “you get what you pay for” line. I’m happy to pay a higher premium for a superior product or service in most cases. However, I am not going to pay a higher cost for a terrible product or service.

Ok, enough talking about home! Let’s talk about your business or place of work. I hope by this point you’ve picked up on the comparison I’m trying to make as it relates to vendors. One of the leading causes of data breaches today is compromised third-party vendors. The attacks are sometimes referred to as Island Hopping. Cyber criminals, who want to breach an organization, will target that organization’s vendors, who often have lower security policies and standards. Once they breach the vendor, they will then use the vendor’s credentials or network access to hop over to the target company’s networks and data. Compromised third-party vendors have resulted in many high-profile data breaches, including Target (2013), Home Depot (2014), TransUnion (2019), and so on. Do you have a vendor management program to evaluate your vendors and calculate the risks associated with that vendor? Do you review your vendors periodically (or ever)? Do you track any issues you have with your vendors? Most companies don’t. So, if you’re not tracking vendors then you are not alone.

When talking about a vendor management program, there are a few phases that I like to cover as an introduction to this:

  • Vendor Onboarding - will include establishing requirements and expectations, developing an approval process, determining security guidelines, as well as the actual vendor selection through the contract closure
  • Vendor Review - will include due diligence checks, incident report reviews, contract reviews, and performance reviews
  • Vendor Offboarding - will include reviewing contracts for termination provisions, equipment returns, disabling of technical and physical access credentials, documenting the offboarding with reason explanations, and notifying employees

When a company is small or just starting out, they typically bring in vendors based on the recommendations of others or based on the cost. Things move so fast for some of these companies that their vendors get brought on without a contract, due diligence, or security checks. This list of vendors that are now providing a service to the company are also very rarely documented. How do you now conduct a periodic review of a vendor if you don’t have a contract or any documentation of them existing within your company? Do they have access to your network or systems as well?

Vendor onboarding is important. It’s also important to review your existing vendors against the criteria that you’ve developed. Once you’ve reviewed an existing vendor and determined that they are no longer up to your standards, determine whether you need that service anymore or if there is a better option, and have a checklist to follow that will help you properly offboard the vendor.

Vendor management is an important program that should be implemented within an organization early on. As you grow and bring in more vendors, it will be nearly impossible to get your arms wrapped around vendor management if you haven’t already established a strong program. Having a vendor management program has many benefits including increasing efficiency, reducing operating costs, and ensuring compliance with industry regulations. It also allows you to track and monitor performance of vendors. Compass IT Compliance offers a variety of vendor management services to help you manage and mitigate your risk related to third party service providers. Contact us today to learn more!

You May Also Like

These Stories on Vendor Management

Subscribe by Email

No Comments Yet

Let us know what you think