Without an effective vendor management program, the threat looms large.
How can a business effectively manage the oversight of its third-party vendors’ security and privacy programs? After all, these are completely independent organizations, running their own businesses and executing their own practices.
It may sound overwhelming (perhaps even impossible), but it is doable with an effective vendor management program.
Below are five key components to such a program. Keep in mind these are not one-and-done to-do’s. Each of the following should be performed on an ongoing basis.
- Document all third-party vendors.
Do you know every vendor doing work for your organization? The first, and possibly most neglected, step is to identify and document at least the following details for all vendors:
- Contact names
- Office locations
- Dates contracted
- Services performed
- Data shared
Be sure to keep these details up-to-date for all vendors. You should also retain this information for past vendors for at least six years (longer if your business must follow strict data retention requirements).
One thing to watch out for, especially in large organizations with multiple locations, is multiple vendor contracts. Often, these firms will contract the same vendor to perform the same activities for each location, yet under differing contractual agreements. This creates an additional risk of vendor non-compliance.
- Document the information each vendor accesses.
Once you have identified all vendors, you need to document the types of information each has access to. For example: full name, mailing address, phone number, social security number, email address, birthdate, etc. More access to sensitive information (e.g. health data, social security numbers, etc.) means higher risk, and therefore, requires more oversight. Be sure to document the security controls associated with each vendor and establish a way to keep the information up-to-date.
Once you’ve identified the data each vendor accesses, you are ready to determine the risks to that data. The most effective way is a data flow analysis in combination with a risk evaluation. When it comes to performing this analysis, keep in mind simpler is usually better.
- Establish and update contractual requirements.
Determine if your contractual requirements for each vendor are adequate. At a minimum, your contract should include rights to:
- Audit
- Request completed risk evaluations on a regular basis (quarterly or bi-annual)
- Be notified and approve of any subcontracting involving data
- Review vendors’ documented information security and privacy policies
- Be notified as soon as possible (typically within one business day) of a breach
- Determine and monitor risk levels.
You also need to determine the level of risk each vendor presents to your organization. You can often establish a preliminary risk level based on the following details:
- The amount of sensitive information involved
- The number of locations, including number of countries, the vendor is using to store and process data
- The number of the vendor employees who have access to data
- The number of technologies / devices used
- The maturity of the vendor’s information security and privacy program
- Establish a plan for ongoing oversight.
There are many effective ways to maintain oversight of your vendors. Which you choose depends on the type of service the vendor provides. Below are some options to consider:
- Obtain monthly or quarterly attestations from your vendors’ executives. By attesting that security and privacy programs are maintained and enforced, the executives become even more personally accountable.
- Perform risk assessments. These assessments may include requiring the vendors to complete surveys to help you evaluate their security and privacy programs.
- Require and monitor your vendors’ regulatory compliance specific to their industries and applicable legal requirements.
The more automated you can make ongoing oversight the better. However, some of your highest risk vendors may require personal phone meetings, or even on-site visits.
How SIMBUS360 can help
If you need help with any of the above processes, consider a vendor tracking automation tool, such as SIMBUS Tracker. SIMBUS Tracker is powerful vendor management software designed to monitor organizations with access to personal information. It consolidates all necessary compliance verification information and associated records into one simple-to-use, secure platform and performs ongoing oversight of your vendor relationships.
SIMBUS Tracker is available for direct use. It’s also available in a white-label version. So, if you lead a business, such as a law firm, managed services IT firm, consultancy or an accounting practice, and you’d like to help your clients with their own vendor management, SIMBUS Tracker is ideal software for opening up that additional business line or revenue source for your firm. Contact Dave Greek to learn more.
For more information, download our Vendor Oversight & Risk Management Tips guidance document. The document includes common security and privacy risks discovered from more than 300 vendor assessments.