As a market research firm your clients share sensitive information with you. In some cases your firm will outsource a business process with a supplier, or entrust them to store and process sensitive client data. In doing so you’ve extended to them the commitment and responsibility you have to your client to maintain the confidentiality, integrity and availability of that data.

Do you know for sure how well each of your vendors is upholding that responsibility on your behalf? As cybercriminals increasingly target vendors as a vector to attack their customers, and regulators increasingly hold organizations liable for breaches of vendor-controlled data, the importance of managing information security risk associated with your vendors is escalating.

Some vendors (IT services, payroll/benefits, legal, maybe even your cleaning company) inherently pose more information security risk than others. How do you decide what vendor-related risks are most critical? How can you make sure that vendor risk is monitored and addressed consistently?

That is the job of a vendor risk management policy—the foundation of any vendor risk management (VRM) program and an area that is often overlooked. It is a requirement outlined in the ISO/IEC 27001 information security standard, which is the only globally-accepted information security framework in existence. Purpose-built for organizations of all size, complexity, and market. According to ISO 27001, Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

So, how do you begin? A good practice is to start by setting up a company-wide vendor risk ranking system and categorizing each vendor as critical, high, moderate or low depending on data sensitivity, access type, etc. Next, determine what you need to do to monitor risk for each rank level and at what interval. Then, begin your review, in rank order by criticality.

Following are ten basic steps VRM policies across industries should define for “critical” or “high risk” vendors:

  1. Identify the supplier and the service or product they provide.
  2. Depict the process flow through which the supplier provides its product or service.
  3. Identify the types of information being accessed or touched by the supplier.
  4. Identify the critical control points in that information flow.
  5. Identify the controls that should be in place to keep the vendor’s business running and maintain confidentiality, integrity and availability (CIA) of your data while it is in their hands.
  6. Identify how the vendor will continue to provide services to you during a disaster or outage.
  7. Identify how the vendor will handle incident management where your company is concerned.
  8. Establish a main point of contact at the vendor.
  9. Determine how changes to the above will be handled.
  10. Determine how often the above steps will be re-verified.

Your VRM policy might define more due diligence steps if you’re in a regulated industry like financial services. Do you run background checks on a vendor’s senior management? Do you review their financials? Do you mandate independent penetration testing on a quarterly basis?

Whatever is included in your VRM policy should be agreed to by your vendors. Managing vendor risk is an iterative process. Having a VRM policy in place ensures that your organization gets the most risk mitigation benefit from its VRM program in the most efficient manner.

Have questions? Need help defining your VRM posture and approach? Contact Darrin Maggy at Ezentria.

For more information about ISO 27K and Insights Association training programs about this standard, contact Jennifer Ward.