By Dave Christiansen
As a market research firm, your clients share sensitive information with you. In some cases your firm will outsource a business process with a supplier, or entrust sensitive client data to them to store and process. In so doing, you extend to them the responsibility you have to your client to keep that data secure.
Do you know for sure how well each of your vendors is upholding that responsibility on your behalf? As cybercriminals increasingly target vendors as a way to attack their customers, and regulators increasingly hold organizations liable for breaches of vendor-controlled data, the importance of managing information security risk associated with your vendors is escalating.
Some vendors (IT services, payroll/benefits, legal, maybe even your cleaning company) inherently pose more information security risk than others. How do you decide what vendor-related risks are most critical? How can you make sure that vendor risk is monitored and addressed consistently?
That is the job of a vendor risk management policy—the foundation of any vendor risk management (VRM) program, and an area that often is overlooked. It is a requirement outlined in the ISO 27001 information security standard, which is becoming increasingly popular in many industries for providing a verifiable, credentialed framework. According to ISO 27001, Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.
So, how do you get there? A good practice is to start by setting up a company-wide vendor risk ranking system and categorize each vendor within it. Next, for each rank level determine what you need to do to monitor risk, and how often.
Following are ten basic steps VRM policies across industries should define for “critical” or “high risk” vendors:
- Identify the supplier and the service/product they provide.
- Depict the process flow through which the supplier provides its product or service.
- Identify the types of information being accessed or touched by the supplier.
- Identify the critical control points in that information flow.
- Identify the controls that should be in place to keep the vendor’s business running and maintain confidentiality, integrity and availability (CIA) of your data while it is in their hands.
- Identify how the vendor will continue to provide services to you during a disaster or outage.
- Identify how the vendor will handle incident management where your company is concerned.
- Establish a main point of contact at the vendor.
- Determine how changes to the above will be handled.
- Determine how often the above steps will be re-verified.
Your VRM policy might define more due diligence steps if you’re in a regulated industry like financial services. Do you run background checks on a vendor’s senior management? Do you review their financials? Do you mandate independent penetration testing on a quarterly basis?
Whatever is included in your VRM policy should be agreed to by your vendors. Managing vendor risk is an ongoing process. Having a VRM policy in place ensures that your organization gets the most risk mitigation benefit from its VRM program in the most efficient manner.
Dave will be one of the presenters featured in a series of CASRO webinars on Information Security presented by and geared to the business intelligence industry.