Although vendor management isn’t a silver bullet to preventing vendor data breaches, it’s a necessary component to a healthy overall information security program. We’re going to continue utilizing vendor relationships, so truly managing our vendors remains extremely important. A good vendor management program contains the following components: risk assessment, due diligence, contract review, and the watch list.
Vendor Risk Assessment
Everything that’s good in information security starts with a risk assessment. If you cannot measure it, you cannot manage it. All of your risk assessments, including your vendor risk assessment, should help you make better decisions. Ultimately, you are seeking answers to two questions: Who do I want to do business with? Do I want to continue doing business with this vendor? You should seek to quantify the answers to these questions.
Due Diligence and Contract Review
This is where we’ll get the majority of our data to ensure the goodness of a vendor relationship. It’s also the most time-consuming and potentially daunting task of vendor management that frightens people and stops them from making meaningful progress. Let’s be honest, due diligence and contract review is tedious work, it takes a lot of time, and it doesn’t always feel like it’s providing adequate value. Nevertheless, it is necessary, and it need not be that daunting. As discussed above, if you have a good risk assessment, you’ll know where to focus most of your energy. If you’ve identified what you want to include in a review for each specific vendor level, you’re well on your way to having an effective vendor management program.
The next step is to identify review criteria. Luckily your primary federal regulator provides you with good starting points. The FDIC, OCC, FRB, and NCUA all provide their own general criteria for due diligence and contract review. We would encourage you to go further by developing your own question sets for things like SOC reports, cloud providers, and foreign-based service providers, to name a few. Remember, the more critical the vendor, the deeper dive into the review you should do.
Everything that’s good in information security starts with a risk assessment. If you cannot measure it, you cannot manage it. All of your risk assessments, including your vendor risk assessment, should help you make better decisions.
The Watch List
Occasionally a vendor review doesn’t live up to our expectations or risk appetites. A vendor not meeting expectations can be due to them providing outdated or insufficient documentation based on our requirements. It could be that upon review of those documents, troubling items were found that resulted in less risk reduction than we would have liked. If that’s the case, we are now presented with the choice of whether or not to continue doing business with the vendor. Assuming the decision is made to continue the relationship, the vendor in question should be placed on a “watch list.” Your vendor watch list should mimic your loan watch list. It identifies problematic vendors that require additional oversight. If a vendor is on the watch list, increase their review frequency identified by the risk assessment until such a time that you’ve decided to either:
- Accept the risk = Do nothing, but make sure you document it as a known risk exception!
- Resolve the risk = Work with the vendor to address issues until they’re resolved.
- Change the risk = Find a new vendor or bring the service in-house.
- Transfer the risk = Insure against a loss.
Vendor Management + Incident Response
Your incident response plan should already identify the most severe threats your institution faces. Vendor compromise ought to be one of those.
You should perform tabletop testing of your incident response plan. Develop scenarios based on your threat assessment and walk through those scenarios with the incident response team. When performing a tabletop test for a vendor compromise scenario, reach out to the vendor prior to the test and encourage their direct participation. If the vendor chooses not to participate (note that in your vendor management program), put together a list of questions or requested information resulting from the tabletop test. Don’t forget to ensure your tabletop test is well documented: Who attended? What was the scenario? What steps were determined to be taken? What did we do well? What can we improve? What additional questions do we need to answer?
Bottom Line, It’s Your Data
We’re more reliant on vendors than ever before. Vendors are storing, processing, or transmitting data on behalf of your organization. However, it’s your data, so it’s your responsibility to protect your customer information, your employees, and your institution, no matter where the data resides. Your vendor is not going to notify your customers about a breach for you or take the blame. Understand your vendor’s security practices through your vendor management program. Align those vendor relationships with your cybersecurity goals and standards. Ensure you’re tying vendor management and vendor relationships into your incident response considerations. Remember, it’s not IF something is going to happen, it’s WHEN. If we plan to fail well and build that capability into our vendor management process, we set ourselves up better to come out the other side as healthy as possible.
For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. Learn more at www.sbscyber.com.
