No matter what industry you’re in, there is policy, as well as hundreds and thousands of laws that go into creating vendor risk management (VRM) programs. As such, there are plenty of resources dedicated to that very topic. You could spend weeks or months reading before you feel like you have a good grasp on the topic… or, you could read this article!
Simply put, we are experts in the VRM space! We know which best practices to make sure you’re doing—which you’ll find on our “do” list—and which practices to never take part in—which you’ll find on our “don’t” list. Let’s dive right in.
Do understand the value of your data to your organization prior to allowing any third party to access it. Being able to differentiate data that is highly sensitive from data that is only moderately sensitive is an important step—and you’ll need to be able to draw those conclusions before a vendor has access.
Do create security expectations for your vendors describing how they should secure your data. These expectations shouldn’t be casually mentioned at the beginning of a business relationship, but rather cemented into your vendor contract. Make these expectations legally airtight, so your mind—and the minds of those in upper management—can rest at ease.
Do establish an incident response plan. Having a procedure for your third party to notify you in an event of an incident affecting their organization and/or your data is most certainly a best practice. This is a written procedure that is usually referenced in the contract and developed by the third-party organization. It outlines who the third party is to contact if a security breach does occur. The first party is responsible for ensuring that the vendor has the right procedures in place, accurate contact information, and a clearly established timeline of when that communication will happen.
Do only share the minimum information with your vendor required for them to meet your objectives. If, for example, your vendor will be monitoring your HVAC system remotely, you’ll want to ensure that they only have minimal access. They only need access into the part of your network that controls HVACs, and virtually nothing more. Such access management could have saved Target from its massive, highly publicized breach that affected the personal information of over 110 million customers.
Don’t create a generic expectation for security. You’ve probably heard of companies requiring their vendors to provide an “adequate” level of security. This is not a good practice, because “adequate” can be interpreted many different ways. You have to be clear about expectations in regard to security if you want to decrease your chances of third-party security issues. Ideally, you should cite an industry standard like ISO27001, NIST800-53, or the PCI data security standards.
Don’t allow third parties to access your data without doing proper assessments. Understanding the cybersecurity posture of your vendors can be a painstaking process. It should involve a combination of questionnaires, on-site assessments, technical assessments, and near-constant communication. If you take care of your pre- and post-contract due diligence, you’ll feel far more prepared for them to gain access to your data.
Don’t let everyone in the third-party organization—or your organization—have access to your data. This is a pretty simple, but important concept. Your organization should clearly establish which individuals at a vendor company have access to your data. Consider putting controls in place to help guard entry to your data, so it isn’t easily accessible. Privileged information should only be available for a select few individuals who need access for a verygood
Don’t allow third-party users to access your data using unapproved devices. Anyone accessing sensitive information should be using their work-approved computers on approved networks. If someone decides to access your information on a personal laptop at a coffee shop, your organization can’t adequately monitor usage—and the likelihood of someone gaining access to your “crown jewels” is far more likely.
Don’t provide vendors with more information about proprietary products or information than they need. In other words, make sure you’re properly addressing the risk involved with your supply chain. Let’s say your organization is designing a really sensitive smart phone, and you decide to work with a vendor who can supply you with specialized screens. That particular vendor does not need access to all of your sensitive phone design information and data—they just need the specifications that will help them successfully create the phone screen. We cannot overstate how important it is to protect your most sensitive data and information.
One Final Point
Do make sure you use this list as a starting point… but don’t only rely on this information to ensure that your data is entirely secure! Our hope is that these suggestions provide you with a great place to start or affirm you’re headed in the right direction in regard to IT risk management—but they can’t replace thorough vendor due diligence. Make sure you do your homework!
Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)
We've drilled down into areas that vendor risk management programs leave a little vague.
Download the guide to see if you've considered these critical areas of vendor risk management.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...