Vendor Management Requirements in CyberSecurity Standards
Are you in control of third-party risk? Do you have a sound vendor management department? Do you audit your suppliers?
Your third-party vendors are critical to not only your businesses success, but for many of us, are at the core of our organizations processes and activities, and with that come the dreaded four letter word: RISK.
In the past, procurement was simply the department that bought goods and services. But now, in today’s increasingly digitalized world, procurement should be considered as a part of your overall business strategy. Therefore, it is imperative for businesses to adopt a Vendor Management Program to mitigate cybersecurity risk.
What’s in a Vendor Management Program?
If you’re starting from scratch, it’s easier to build a program knowing who your vendors are. This way you can build your policies and standards with some forethought to how they will apply because you’re already working with them, so you understand more about what the potential issues will be.
A Vendor Management Program provides you with means to:
Identify Vendors
It’s important to identify all vendors that have access to customer and/or sensitive data, as well as those who have access to your network. For those who have access to customer and/or sensitive data, you need to know what kind of environment your data will be in and what could happen if cybercriminals are able to access the customer information under your vendor’s control. Next you want to rank your vendors according to the risk associated with the relationship. This is an important step because it will determine a couple of things. First, how often you need to review the vendor, and second, how deep your due diligence research needs to go. You want to be able to distinguish those vendors who are critical to your operation from those whose loss of services would not be disruptive at all. Your policy should contain several risk classifications, depending on regulatory requirements and best practices.
Perform Due Diligence
You’re discovering what you need to know to mitigate the risks associated with outsourcing services. You use this process to determine the cybersecurity resiliency of your vendors, including controls in place, business continuity plans, incident response programs, vulnerability and breach notification standards, etc. Part of your due diligence process also includes collecting documentation and evidence from vendors, and developing contract language that requires the behaviors and controls you deem necessary.
Document
Create a spreadsheet or database to track all of your vendors. Create a checklist that you’ll use for each review of a critical, high, medium, and low risk vendor. And finally maintain an organized library of all the documents provided by your vendors.
Report
Who will see your good work will vary depending on your organization, but someone will need to review and approve vendors based on the information you have collected. You should have a mechanism to report serious issues to senior management once problems are known. You should also be prepared to demonstrate the efficiency of your Vendor Management Program to auditors.
Need assistance with assessing the cybersecurity of your service providers?
As external dependencies continue to grow, setting up and maintaining an effective cybersecurity review program can be a daunting task Digital Edge can assist with the implementation of a program that makes sense for your organization’s business needs and is tailored to the unique conditions that are the byproduct of every third-party business relationship. For more information on Digital Edge’s robust Cybersecurity Vendor Management team, contact us today at complaince@digitaledge.net.