October 2, 2018
Nowadays, companies are increasingly relying on vendors to ensure their continued success in business. You end up sharing customer and employee private data with such vendors regardless of whether you utilize a payroll processor or SaaS marketing platform. As such, you have to come up with a vendor management plan that monitors and mitigates the risks posed by vendors in a bid to safeguard the data entrusted to you.
Vendor Management Plan
What does a Vendor Management Plan Entail?
Your vendor management plan helps in creating a selection of rules that enable you to spot, rate, and alleviate the risks posed by third-party enterprise partners not only to yourself but also your business. The same way that you create a risk tolerance, you ought to ensure that you can hold all your vendors to a similar accountability level. Also, bear in mind that building a vendor management plan adheres to the same steps taken when establishing your information security plan.
Step 1: Recognize the Information your Vendors can Access
Vendor risk is directly associated with the information that your vendors have access to in the course of service delivery. Similarly, to how you require identifying internal information assets, you must spot vendor information assets. Furthermore, you ought to ask yourself the questions detailed below concerning your vendors to determine the risk they pose to your organization.
- What role does my vendor play in my enterprise?
- What company details does the vendor require to meet such requirements?
- What information regarding my employees does the vendor require?
- What client information does the vendor require?
- Does my vendor need to access my networks and systems?
- What networks and systems do the vendor require to access?
- How long does my vendor have access to my networks and systems?
Service providers can either be software systems or individuals. Also, you have to comprehend the role that such providers play in meeting your business goals as well as the amount of information they require to reach such objectives.
Step 2: Create a Risk Tolerance for Vendors
After determining the kind of information that your vendors have access to, your information risk tolerance has to be aligned to ensure that it corresponds with the access that your vendors require. Additionally, you have to determine what risks you want to refuse, mitigate, transfer or accept. While focusing on your vendor requirements, you ought to ask yourself these questions:
- Does your vendor play a vital role in the operations of your business?
- How much information regarding your firm does the vendor require?
- How much information relating to your customer does your vendor need?
- How much employee details do the vendor require?
- How many fundamental networks does your vendor have to access?
- How many vital systems does the vendor require accessing?
Looking at the criticality to your company’s activities marks the initial step to comprehending the effects that the vendor can have on your enterprise. Your IT unit may utilize a cloud service provider in housing your entire electronic data. In the meantime, your marketing unit might be leveraging the services of a vendor in managing email distributions.
Step 3: Establish Procedures for Guiding your Vendor Relationship
Good contracts undeniably create excellent business partnerships. Creating the ideal documentation for formalizing your relationship helps in outlining a selection of shared best practices, which you can look forward to the vendors following. Creating a service level agreement or SLA is vital as it details the functions played by your vendor in your company. When formulating such a contract, you may need to include the following aspects, at a minimum:
- Information access controls
- Access authorization protocols
- Liability for security occurrences
- End-point security prerequisite
- System and network update needs
- System and network security safeguards
- Password management requirements
- Decryption and encryption requirements
- Employee Security Awareness Training prerequisites
Step 4: Ongoing Vendor Monitoring
Bear in mind that your vendors’ security stance poses a risk similar to yours, only that you possess limited control over their operations. Furthermore, understanding that their missteps translate to yours can increase even the blood pressure of the calmest CISO. Ongoing monitoring plans include:
- Reviewing of SOC reports
- Creating site visits
- Taking part in vendor audits either yearly or regularly
- Requesting documentation for penetration testing
- Reviewing all copies of internal audits
- Assessing IT illustrations and architecture
- Assessing security documentation
Vendor monitoring and oversight requires you to trust your vendors to satisfy the contractual obligations involved and validate such trust through documentation. Additionally, you must come up with a useful monitoring process that safeguards all your downstream customers and partners in a bid to meet your industry and regulatory-imposed compliance requirements.
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.