How you can ensure you are performing the necessary security assessments and evaluations while keeping your onboarding process as flexible and agile as possible.
Compliance, at its core, is a legal responsibility. It is defined as “act or process of doing what you have been asked or ordered to do.” Creating a successful vendor compliance program isn’t as simple as asking third parties to comply with your security requests or pestering them to answer your security risk assessment questions.
The vendor compliance checklist below highlights three things you must do if you want to ensure your vendors meet (or exceed) your security expectations.
1. All vendor security requests and obligations must be contractual.
Simply telling your vendor that you care about cybersecurity—or asking them to describe the controls they have in place to protect your data—is useless. If you want a strong vendor compliance program, including listing out all of your expectations in your vendor contract as part of your vendor compliance checklist.
This step cannot be skipped over. A data breach through a third party is bad enough—but discovering that your contractual agreement with the vendor who was breached didn’t clearly spell out security expectations is exponentially worse. The best time to define these contractual obligations is at the beginning of a vendor relationship, but you can—and should—revisit current vendor contracts to be sure they clarify your expectations.
Be specific when you create these legal documents. Telling your vendors they must implement “a reasonable amount of security measures” is meaningless. What is reasonable? Who defines it—you or your vendor? Specific and actionable language will protect you from legal scrutiny and liability.
2. Require your vendors to be aligned with frameworks and obtain certifications you feel strongly about.
You may choose for all your third parties to be compliant with ISO 27001, or align with the NIST risk management framework as part of your vendor compliance checklist. If so, you’ll need to write this plainly in your contract. Keep in mind that requirements like these will likely impact your vendors’ budgets, as many will need to hire a consultant to help build a security program that satisfies the controls.
3. Require your vendors to notify you when they experience a security incident.
Cybersecurity best practices dictate that you create a procedure for your third parties to notify you in the event of an incident that affects their organization and/or your data. Usually it’s a written procedure developed by an outside organization outlining who the third party is to contact if a security breach does occur. The first party is responsible for ensuring the vendor has the right procedures in place, so make sure your vendor compliance checklist includes accurate contact information, and a timeline of when that communication will happen for your vendors.
Why Vendor Compliance Is Not Enough
Requiring vendors to meet certain security standards is good to include in your vendor compliance checklist, but it doesn’t mean they’re properly securing your data. Even if your vendors comply with your policies, security incidents can still occur on their network which impacts your data.
Your ultimate focus should be on third-party risk management (TPRM). While compliance is a solid short-term goal, third-party risk management is an ongoing
practice. When you manage your vendors, you can have a set vendor compliance checklist, which is less about labeling them “compliant” and more about setting specific performance standards that reflect your organization’s risk tolerance. In other words, what risk are you willing to accept as an organization?
Businesses with strong vendor compliance programs as well as strong third-party risk management programs have a much more advanced approach to handling vendor issues. To that end, we’ve listed below six things your company can begin doing in order to build up your TPRM program.
6 Areas To Add To Your Vendor Compliance Checklist
1. Focus on your most critical vendors.
You can’t simply lump all your third parties into one category and decide that they’re all of equal importance. It’s crucial to identify and focus on the most critical vendors who have either direct access to your corporate network or access to your sensitive data. You’ll want to know in detail who those vendors are, what they have access to. You can then add specific contractual language to those agreements that will help enforce your compliance standards.
2. Set thresholds and standards for lower-tier vendors.
Your main focus should be on critical vendors, but if your organization has a mature vendor management program you’ll probably also be paying some time and attention to vendors who may not pose an immediate risk. While they may not have access to your network or share sensitive data, you likely provide them with payment information—so if they are breached and have your business credit card on file, that data could be compromised.
For these lower-tier vendors it’s important to have a monitoring and alert system in place. BitSight Security Ratings allow you to automatically find out of any security change that may impact your organization.
3. Assess your vendors’ security measures.
Managing your vendor’s risk typically begins with a cyber security risk assessment questionnaire that asks about their high-level security practices. It’s good to have this documentation, but the information is subjective. Your vendors might be telling you what they believe to be true, but what if they’re mistaken?
Penetration tests and vulnerability scans help you understand whether your vendor is being diligent in their security efforts—but these methods only evaluate a moment in time. They won’t provide an accurate depiction of what goes on in your vendor’s organization day-by-day, which is where continuous monitoring (step 4) comes in.
4. Monitor your vendors to ensure they’re both compliant and continuously performing at an acceptable standard.
You can go through all of the motions of ensuring your organization’s data and network are secure—but how do you truly ensure that your third parties are following through on their security obligations? Continuous monitoring solutions are the best way to ensure a third party’s security posture mirrors how they’ve described it. Additionally, it allows you to easily view new risks or vulnerabilities that could pose a threat to their network.
5. Examine your aggregate risk levels.
A lot of vendor compliance is focused on individual vendor compliance, but it also helps to look across all your vendors and examine aggregate risk. If you can see how all your vendors are doing in specific areas, you’ll get a better idea of the kinds of standards you should set for your partner businesses.
For example, you could require all your critical vendors to use DKIM and SPF to bolster their email security. If you then look at all the vendors who implement these practices and compare them to those who do not, you’ll be able to determine whether that standard or policy is realistic or attainable moving forward.
6. Coordinate your teams internally.
Any complete vendor compliance checklist includes bringing together multiple teams from several departments, including procurement, IT and security, finance, and legal. This coordination helps get every pertinent department in sync with your vendor compliance program; if you have one particular vendor falling short in an area, other departments should be aware so they can be on the lookout for red flags.
The biggest challenge here is helping other business units understand traditional detailed IT compliance reports. Be sure your metrics and reports are simple, clear, and easy to digest visually. If you’re able to take a complex topic and put it in terms that all participants can comprehend, it will help get everyone on the same page.
Want to better understand your vendors’ cybersecurity posture?
To learn more about how to have a complete vendor compliance checklist and properly manage your pool of vendors, download our guide.
This blog has been updated as of September 30, 2020.