Insights Industry News

April 26, 2016

Information Security: 10 Steps MR Firms Should Take to Manage Supplier Risk

In working with suppliers, you extend to them the responsibility you have to your client to keep that data secure.

Information Security: 10 Steps MR Firms Should Take to Manage Supplier Risk
Dave Christiansen

by Dave Christiansen

Managing Director at Ezentria

0

Sensitive Data

As a market research firm, your clients share sensitive information with you. In some cases your firm will outsource a business process with a supplier, or entrust sensitive client data to them to store and process. In so doing, you extend to them the responsibility you have to your client to keep that data secure.

 

Risk

Do you know for sure how well each of your vendors is upholding that responsibility on your behalf? As cybercriminals increasingly target vendors as a way to attack their customers, and regulators increasingly hold organizations liable for breaches of vendor-controlled data, the importance of managing information security risk associated with your vendors is escalating.

Some vendors (IT services, payroll/benefits, legal, maybe even your cleaning company) inherently pose more information security risk than others. How do you decide what vendor-related risks are most critical? How can you make sure that vendor risk is monitored and addressed consistently?

 

Building a policy

That is the job of a vendor risk management policy – the foundation of any vendor risk management (VRM) program, and an area that often is overlooked. It is a requirement outlined in the ISO 27001 information security standard, which is becoming increasingly popular in many industries for providing a verifiable, credentialed framework. According to ISO 27001, Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

So, how do you get there? A good practice is to start by setting up a company-wide vendor risk ranking system and categorize each vendor within it. Next, for each rank level determine what you need to do to monitor risk, and how often.

 

The 10 basic steps VRM policies across industries should define for “critical” or “high risk” vendors:

  1. Identify the supplier and the service/product they provide.
  2. Depict the process flow through which the supplier provides its product or service.
  3. Identify the types of information being accessed or touched by the supplier.
  4. Identify the critical control points in that information flow.
  5. Identify the controls that should be in place to keep the vendor’s business running and maintain confidentiality, integrity and availability (CIA) of your data while it is in their hands.
  6. Identify how the vendor will continue to provide services to you during a disaster or outage.
  7. Identify how the vendor will handle incident management where your company is concerned.
  8. Establish a main point of contact at the vendor.
  9. Determine how changes to the above will be handled.
  10. Determine how often the above steps will be re-verified.

 

Things to consider

Your VRM policy might define more due diligence steps if you’re in a regulated industry like financial services. Do you run background checks on a vendor’s senior management? Do you review their financials? Do you mandate independent penetration testing on a quarterly basis?

Whatever is included in your VRM policy should be agreed to by your vendors. Managing vendor risk is an ongoing process. Having a VRM policy in place ensures that your organization gets the most risk mitigation benefit from its VRM program in the most efficient manner.

 

Photo by George Becker from Pexels

0

data privacydata securitymarket research suppliers

Disclaimer

The views, opinions, data, and methodologies expressed above are those of the contributor(s) and do not necessarily reflect or represent the official policies, positions, or beliefs of Greenbook.

Comments

ARTICLES

Moving Away from a Narcissistic Market Research Model

Research Methodologies

Moving Away from a Narcissistic Market Research Model

Why are we still measuring brand loyalty? It isn’t something that naturally comes up with consumers, who rarely think about brand first, if at all. Ma...

Devora Rogers

Devora Rogers

Chief Strategy Officer at Alter Agents

The Stepping Stones of Innovation: Navigating Failure and Empathy with Carol Fitzgerald
Natalie Pusch

Natalie Pusch

Senior Content Producer at Greenbook

Sign Up for
Updates

Get what matters, straight to your inbox.
Curated by top Insight Market experts.

67k+ subscribers

Weekly Newsletter

Greenbook Podcast

Webinars

Event Updates

I agree to receive emails with insights-related content from Greenbook. I understand that I can manage my email preferences or unsubscribe at any time and that Greenbook protects my privacy under the General Data Protection Regulation.*