Six Steps for Vendor Risk Management
Outsourcing is often a default strategy for today’s businesses. While it has huge potential benefits to offer organizations, outsourcing has also given rise to security threats that are persistent, large scale and devastating. In the past two years, sophisticated hackers have launched powerful attacks through vendor networks and connections, to siphon off funds, millions of credit card records and customers’ sensitive personal information.
It is clear that organizations require adequate oversight of vendor security risks. Recent studies have made it clear that the lack of due diligence regarding third parties is particularly concerning. Vendor risk oversight from a security point of view demands a program that covers the entire organization, outlining the policy and guidelines to manage and mitigate security risk, combined with clearly articulated vendor contracts.
In light of the noticeable jump in organizations that attribute security incidents to service providers and contractors, the following six steps can help organizations consider their vendor privacy and security governance framework:
1. Executive oversight. The decision to outsource is strategic and not merely a procurement decision. Thus, it is critical that executive committees provide direction for the vendor risk management program. The program should provide executive guidance from the compliance function as well as the IT risk and control function.
2. An accurate vendor in the contract database. Many organizations today deal with a number of third parties and service providers. Missing contact information, lack of clarity over who is responsible for the relationship, and missing contracts or updates to the contract are typical areas of concern that need to be addressed.
3. Assigning vendor trust levels. For the vendor risk management program to be effective, one cannot conduct the same type of risk assessment for all vendors. Rather it is necessary to identify those vendor services deemed to carry the greatest risk and prioritize them accordingly. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary due diligence assessments for lower risk relationships.
4. Security assessments. Proper control and management of vendor risk requires continuous assessments. As a good practice, areas of assessment could be drawn from existing security standards and practices (e.g. ISO 27001) combined with specific compliance requirements (e.g. PCI DSS) as applicable.
5. Validate trust levels. Outsourced relationships usually go through iterations and evolve as they mature. As organizations strategize to outsource more, they should also validate trust levels in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating trust level is an ongoing exercise.
6. Monitor and report. It is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with a senior management sponsor, who can help the organization progress towards good governance with respect to outsourcing.
Vendor risk management is the next step to elevate information security from a technical control process to an effective management process. Regular security assessments of vendors give organizations the confidence that your business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide organizations with insight on whether their systems and data are being managed by vendors consistently with the organization’s security policies.
Keep in mind that vendor risk management is not a mere project; it is a program and requires continuous attention to keep the momentum going. Diligent internal communication is key to ensuring that there is an awareness of the important role that a vendor risk management program plays in keeping data and systems secure.
Contact PRIVATECH for assistance with managing privacy and security risks associated with outsourcing.