Checking Out your Vendor Risks in the Electronic
David is the CTO | Co-Owner of the SMB content hub TexasOnTheGO.com. He has been working in the information technology business since 1989 and has worked with a wide range of small, medium and corporate businesses. He has presented at over 200 gatherings of business and technical leaders and is a Subject Matter Expert on Data Center Technologies.
Checking out your Vendor Risks in the electronic information arena:
Common information risks that should be investigated when identifying your preferred vendors.
- What are their information security and privacy policies?
- Are their procedures documented and enforced?
- When handling personal and sensitive data and files do they encrypt them in flight and at rest.
- What is their training program regarding information security and privacy provided to their staff?
- When were their last information security and privacy risk assessment performed and by whom?
- Are employees familiar with the privacy policies of their employer, your organization, and in compliance?
- What are their third-party subcontracting business activities and processes and do they inform you when they use them?
- Are their information systems patched and have adequate and updated security controls?
- Do they have designated staff for assuring compliance?
Protect your information using contracts:
TexasOnTheGO clients are advised to include each of these critical terms in all vendor contracts.
- Hold vendors to the same security and privacy standards you have at your organization.
- Require at least quarterly statements from the vendor’s executive management that they are in compliance.
- Insist the vendor have a documented breach notification process that includes time requirements for notifying your organization of the breach.
- Establish who is responsible for encryption keys and processes around insuring them.
- Establish as well who has access to the encryption key data and the ability to change it.
- Make sure you vendor recognizes all regulatory obligations required of the vendor in regards to retaining your data integrity if those obligations are longer than the period for which you’ve contracted them.
- Ensure liability is built into the contract for your vendor to continue to provide strong security for your data at all times.
Although customization of contracts is often necessary, a template of pre-approved security and privacy clauses to be included when needed will cut time and add peace of mind.
What documents should you maintain regarding your information security with 3rd parties?
Keep the following in mind as elements of your vendor relationships that should always be detailed in writing.
- Maintain a secured document inventory of all data items subject to information security or privacy requirements which you have entrusted to our vendors.
- Make sure access by your vendor’s employees and subcontractors is removed as soon as they exit the company.
- In case of incidents and breaches, contractually require vendors to document and take actions to mitigate the risks of any similar future incidents
Do you know who your 3rd Party vendors are?
The following are often overlooked as third parties that impact an organization’s risk picture.
- Business partners (investors, collaborators, strategic alliances, distributors, marketing)
- Government agencies (worker’s compensation agencies, agencies with tax info, city, state and federal)
- Volunteers (fundraisers, patient assistance, drivers, registration desks)
- Researchers (marketing, healthcare, product development, social media)
- Students (teaching hospitals, interns, shadowing programs, family members)
TexasOnTheGO recommends these four simple steps that any organization can take to mitigate risks brought to your organization by using third parties.
- Verify your organization is named as an insured party on your vendors’ cybersecurity and privacy liability insurance policies.
- Determine the type of cybersecurity and privacy liability insurance your vendors have, and if/how your organization is covered in a breach.
- Understand whether your cyber liability policy covers vendor/contractor breaches.
- Request a copy of any existing recent SSAE 16 SOC 2, ISO 27001, COBIT 5 or similar