Vendor Risk Management

Vulnerability risk management is the process of evaluating vendors prior to establishing a contract of the potential risks that an organization faces when transferring information and/or allowing a vendor to store your organization’s sensitive information.

If the personally identifiable information (PII) of your customers is accessed through your vendor network by hackers, it can cause legal, financial, and reputational risks for your organization. As such, organizations should get ahead of the risk and create a strategy that accounts for specific vendors with whom your firm works.

The strategy should outline:

1. What type of data you’re sharing with the vendor
2. How you are sharing that data
3. Who has access to this data
4. How that data will be stored
5. How that data will be destroyed
6. How frequently the auditing process takes place

Selecting the right vendors to work with is a critical first step within the vendor risk management process. Before selecting a vendor, use due diligence to verify the following areas of the partnership (note that this list isn’t exhaustive):

• Background
• Performance history
• Financial health
• Market reputation
• Policies in place within the vendor organization
• Compliance
• Stakeholders and board of directors
• Civil or criminal lawsuits against your vendor or its stakeholders

Armed with this information, develop a risk assessment profile identifying the possible risks.

Next, establish a risk management strategy including the necessary steps to mitigate those risks. If your organization already has a strategy in place, note that you may need to add or modify a clause in the document for each vendor with whom you’d like to work. Once the strategy is in place, utilize it for a periodic vendor review.

These eight steps present a high-level overview of elements that make up a strong vendor risk management strategy:

1. List all vendors with whom your organization works. Prioritize these vendors based on how much of a security threat each poses to the organization. This allows you to best coordinate your internal resources to tackle the high and critical threats first.
2. Implement a security framework that maps to your organization. For example, if your business operates as part of the healthcare industry, the vendor must comply with the Health Information Portability and Accountability Act (HIPAA).
3. Prepare a contract outlining the business relationship between your organization and the vendor. This process will involve your legal team.
4. Create documentation of the vendor selection process and criteria, available vendor details, and audit reports of each review taking place at the vendor site.
5. Conduct a periodic review and audit of clauses included within the contract. Ensure they are met. These reviews ensure that the vendor meets regulatory compliance for your industry.
6. Collect fourth-party vendor details and perform an assessment of your vendor’s policies for its vendors.
7. Document risks identified during the process and proposed mitigation plan.
8. Educate employees involved in the process about the importance of the process and an assurance of a clear line of escalation for any red flags.

There are four items to consider within your organization to ensure a proactive vendor risk management strategy:

1. Prepare templates for questionnaires, checklists, and process documentation for use during the vendor risk management process.
2. If you don’t have skilled resources in your organization, outsource the requirement to firms that provide specialized services. These organizations can help you hone your risk assessment and risk management techniques.
3. Follow current best practices and compliance requirements. Some current best practice, compliance, and regulatory standards that are helpful as a reference include:
   1. The Sarbanes-Oxley Act
   2. The Gramm-Leach-Bliley Act
   3. The Foreign Corrupt Practices Act (FCPA)
   4. The Health Insurance Portability and Accountability Act (HIPAA)
   5. The Payment Card Industry Data Security Standard (PCI DSS)
   6. The UK Bribery Act
   7. NIST 800-53
   8. NIST Cybersecurity Framework
4. Gather as much information as possible about the vendor before building your strategy. This includes publicly available information relating to items such as physical verification, etc.

The focus of the strategy should be on improving the design and solving any problems along the way rather than collecting data. This will allow you to create a value-added ecosystem for you and your vendors.

Statistics show that nearly two-thirds of security breaches originate from third parties. For example, in the December 2013 Target breach, the attack was enabled by an email phishing attack on an HVAC contractor. An employee of the contractor clicked a malicious link which ultimately led to the compromise of millions of credit cards. This is one of many examples highlighting why the security of your vendors directly affects your firm.

Vendors can improve credibility by having proper documentation and policies in place that are an auditing requirement. These firms should also educate all levels of employees of the importance of third-party security.

Provide a vendor risk management questionnaire to each potential vendor your firm is considering. The vendor risk management questionnaire should be detailed and granular. However, a selection of important questions to include in your list are as follows:

1. Do you have a cybersecurity policy and skilled resources within your organization? Have you used this policy to perform a cybersecurity assessment? Or, have you completed a similar assessment with a third-party organization? Please share the policy and your results.
2. Do you use tools to monitor your network and the software in use within your organization? Are employees free to download free or open source software without requiring permission? Please share a list of software and tools in use within your organization.
3. Do you have a disaster recovery strategy in place? If yes, have you ever used this strategy? Please share the strategy.
4. Do you have a list of vendors to whom you have outsourced services? Do you have a vendor risk management strategy in place for conducting risk assessments with vendors? Do you have a vendor risk management team? Please share your vendor list and details of your vendor risk management strategy.
5. As an organization, how do you ensure that your security guidelines (if applicable) are carried out throughout the SDLC? Does your firm conduct security testing or review of all products? Are your employees trained on security skills they can use while developing or testing?
6. What is your breach notification policy? Do you only notify the customer whose data has been breached? Or, do you notify all customers?