How To Build Your Vendor Compliance Manual For Cybersecurity

Melissa Stevens | September 29, 2016 | tag: Vendor Risk Management

Today, organizations don’t just ask their vendors, business partners, and third parties to perform a service or provide a product. They also expect them to meet a number of contractual requirements. Financial and legal requirements are typical (and critical)—but today, cybersecurity is as well. 

Cybersecurity has become a company-wide issue that affects organizations all the way up to the boardroom. Organizations are now grappling with the fact that a great deal of their sensitive data could be accessed by vendors—and a misuse or compromise of this data could cause tremendous financial or reputational harm. It is because of this that a comprehensive vendor compliance guide is important for first-party organizations today.

Example: The DOD’s Vendor Compliance Manual For

The United States Department of Defense security(DOD) understands the threat of vendor risk and cybersecurity. They have created a vendor compliance manual—known as the Defense Federal Acquisition Regulation (DFAR)—that sets the standard for what they expect of their vendors. The DFAR is thousands of pages long, but subpart 204.73 requires vendors to “safeguard covered defense information that resides in or transits through covered contractor information systems by applying specified network security controls.” In other words, certain contractors and subcontractors must meet specific, agreed-upon security standards as part of their contract fulfillment. This subpart also details how these vendors are to report cybersecurity incidents to the DOD within an agreed-upon period of time.

Looking to streamline your vendor risk management process? Take a look at these tools and techniques.

It’s very important—but not very difficult—to create a useful vendor compliance manual as a checklist that shows your third parties you take cybersecurity very seriously. If you’re just getting started, here are three things to consider.

3 Critical Things To Remember When Building Your Vendor Compliance Manual

1. Place your focus on critical vendors.

What is a critical vendor? A critical vendor either has access to your sensitive data or provides an important service to your organization.

To identify your organization’s critical vendors, consider whether financial or reputational harm would follow if the data held by a particular vendor was compromised. Sometimes these vendors are easy to pinpoint—like a third party that runs payroll or has access to personally identifiable information (PII). Other times, they require a bit more effort to identify—say, a vendor working on a project that is materially important to your company.

2. Express requirements and expectations that vendors must abide by when safeguarding your data.

If you’re not explicit with which international cybersecurity standards or best practices you want your vendors to follow, don’t expect them to do it. You must lay out your requirements clearly and contractually, and they must reflect the importance of the data the vendor has access to.

For example, if your vendor has access to your intellectual property or other sensitive information, you’re not going to tell them to “implement industry-standard cybersecurity practices”—you’re going to list your specific expectations. This can be anything from data encryption to access limitations and more.

3. Define what it means to experience a cybersecurity incident.

Your vendor contract cannot simply state that you need to be notified of a cybersecurity incident. First, what is a cybersecurity incident according to your organization? Does that mean someone has gained unauthorized access to your data, or does it mean there’s been a network intrusion that may or may not affect your data? If you consider this before you create the contractual vendor agreement, you can set specific expectations about when you’ll be notified about such things.

While you clearly will want to know if something bad happens to your data on a vendor network, you also may want to know if a bad actor compromised any data on your vendor’s network. If the breach was large enough in size or severity—or multiple breaches occur over time—you may want to terminate the vendor relationship. Without these contractual obligations, however, this will prove to be quite difficult.

A Word Of Advice

Creating a solid vendor compliance program is commendable and important. But compliance does not equate to security. Show me a company in the news that was recently breached, and I’ll show you a company that may have been compliant with standards. Therefore, your ultimate focus should be on vendor risk management, not just vendor compliance. While compliance is a solid short-term goal, vendor risk management is an ongoing practice that shouldn’t be understated.


Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.