<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

The Do's & Don'ts Of Sharing Sensitive Information With Vendors

Melissa Stevens | September 10, 2015

No matter what industry you’re in, there is policy, as well as hundreds and thousands of laws that go into creating vendor risk management (VRM) programs. As such, there are plenty of resources dedicated to that very topic. You could spend weeks or months reading before you feel like you have a good grasp on the topic… or, you could read this article!

Simply put, we are experts in the VRM space! We know which best practices to make sure you’re doing—which you’ll find on our “do” list—and which practices to never take part in—which you’ll find on our “don’t” list. Let’s dive right in.

“Do” List

  • Do understand the value of your data to your organization prior to allowing any third party to access it. Being able to differentiate data that is highly sensitive from data that is only moderately sensitive is an important step—and you’ll need to be able to draw those conclusions before a vendor has access.
  • Do create security expectations for your vendors describing how they should secure your data. These expectations shouldn’t be casually mentioned at the beginning of a business relationship, but rather cemented into your vendor contract. Make these expectations legally airtight, so your mind—and the minds of those in upper management—can rest at ease.
  • Do establish an incident response plan. Having a procedure for your third party to notify you in an event of an incident affecting their organization and/or your data is most certainly a best practice. This is a written procedure that is usually referenced in the contract and developed by the third-party organization. It outlines who the third party is to contact if a security breach does occur. The first party is responsible for ensuring that the vendor has the right procedures in place, accurate contact information, and a clearly established timeline of when that communication will happen.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

  • Do only share the minimum information with your vendor required for them to meet your objectives. If, for example, your vendor will be monitoring your HVAC system remotely, you’ll want to ensure that they only have minimal access. They only need access into the part of your network that controls HVACs, and virtually nothing more. Such access management could have saved Target from its massive, highly publicized breach that affected the personal information of over 110 million customers.
  • Do continuous monitoring of your third-party vendors and contractors with respect to cybersecurity. Even if you put your vendors through all kinds of audits—which you should—you still don’t know what is going on in their network on a day-to-day basis. Continuous monitoring software helps you keep an eye on all your vendors, so you can make better, data-driven decisions.

“Don’t” List

  • Don’t create a generic expectation for security. You’ve probably heard of companies requiring their vendors to provide an “adequate” level of security. This is not a good practice, because “adequate” can be interpreted many different ways. You have to be clear about expectations in regard to security if you want to decrease your chances of third-party security issues. Ideally, you should cite an industry standard like ISO27001, NIST800-53, or the PCI data security standards.
  • Don’t allow third parties to access your data without doing proper assessmentsUnderstanding the cybersecurity posture of your vendors can be a painstaking process. It should involve a combination of questionnaires, on-site assessments, technical assessments, and near-constant communication. If you take care of your pre- and post-contract due diligence, you’ll feel far more prepared for them to gain access to your data.
  • Don’t let everyone in the third-party organization—or your organization—have access to your data. This is a pretty simple, but important concept. Your organization should clearly establish which individuals at a vendor company have access to your data. Consider putting controls in place to help guard entry to your data, so it isn’t easily accessible. Privileged information should only be available for a select few individuals who need access for a very good
  • Don’t allow third-party users to access your data using unapproved devices. Anyone accessing sensitive information should be using their work-approved computers on approved networks. If someone decides to access your information on a personal laptop at a coffee shop, your organization can’t adequately monitor usage—and the likelihood of someone gaining access to your “crown jewels” is far more likely.
  • Don’t provide vendors with more information about proprietary products or information than they need. In other words, make sure you’re properly addressing the risk involved with your supply chain. Let’s say your organization is designing a really sensitive smart phone, and you decide to work with a vendor who can supply you with specialized screens. That particular vendor does not need access to all of your sensitive phone design information and data—they just need the specifications that will help them successfully create the phone screen. We cannot overstate how important it is to protect your most sensitive data and information.

One Final Point

Do make sure you use this list as a starting point… but don’t only rely on this information to ensure that your data is entirely secure! Our hope is that these suggestions provide you with a great place to start or affirm you’re headed in the right direction in regard to IT risk management—but they can’t replace thorough vendor due diligence. Make sure you do your homework!

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark We've drilled down into areas that vendor risk management programs leave a little vague. 

Download the guide to see if you've considered these critical areas of vendor risk management.

  

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

READ MORE »

Subscribe to get security news and updates in your inbox.