Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

4 Vendor Risk Management Best Practices

August 25, 2022

In this article, we will share some of our vendor risk management best practices for information security. It’s important to have a methodical approach to determine the risk level of your vendors. Why? If your vendors don’t have strong security, YOU don’t have strong security. 

Why should you follow our Vendor Risk Management Best Practices?

You probably remember Target’s big third party breach in 2013.”Target had reported that hackers stole data from up to 40 million credit and debit cards” (Joyce, 2017).  Many people don’t realize that it was actually a third party vendor, Target’s HVAC company, that was the initial cause of a hack.  IBM Security reported in 2019 that breaches involving a third party increase the total cost of a data breach by $370,000. 

Vendor risk management for information security is crucial, and we’re going to share some of our vendor risk management best practices in this article.

Practice #1 - Make a complete Vendor List

A vendor list usually includes company name, address and phone number. We argue that this is not enough information. Unfortunately, a majority of vendors pose some sort of security risk to your company because they can have access to your data, network, systems, or physical location. 

Below we list 9 important components to include in your vendor list template. This means your vendor list will essentially act as a security snapshot of your current and former vendors. Let’s get started.

Why use a vendor list template?

No matter the size of your business, having a well maintained vendor list is a good idea. It will save you time to have a master list, instead of having to ask a colleague or dig through your email to find the right contact information.

Depending on your industry (we work with clients in heavily-regulated industries like financial services, healthcare, and government contracting), it may be required or strongly recommended to have an up-to-date vendor list.

There are also some security-related reasons to have a vendor list. If you are notified of a breach, and it’s a vendor that you use, having a current security-focused vendor list will make it easy for you to determine next steps. It also provides peace of mind that you have a complete list of vendors and a snapshot of their access and security measures. 

How do you define ‘vendor’?

A vendor is an external organization that provides a service or product for your company. For information security-specific reviews, we tend to focus on any vendors that may have access to your sensitive data, finances or network. A vendor could be your payroll service provider, IT provider, electronic billing providers, manufacturers, and more.

Think of what systems you use to run your business – and if those systems have access to your data in any way, put them in your vendor list! Think: email, e-signature programs, IT and HR service providers, suppliers, consultants.

How to create your vendor list template

There are many free vendor list templates out there. Like most things, some are better than others. It’s important to pick and choose the appropriate components for your vendor list. Since we’re a cybersecurity company, we’re going to recommend having more than just a vendor’s contact information. You need to know if a vendor has security measures in place, and it’s a good idea to update your vendor list every time you complete a vendor review. 

Here are the components to include in your vendor list template:

1 - Vendor name and contact information

Let’s start with the basics. A vendor list should include the vendor’s name and contact information: mailing address, phone number, website, and client representative.

2 - Description of service provided

Since vendor services are not always obvious by looking at the name, be sure to include a brief description of the services provided. 

3 - Description of vendor access 

You’ll need to note whether a vendor has access to your network, systems, or data. For example, your IT service provider most likely has full access to your network and systems, and remote connection privileges. If your company uses Google Workspace or Microsoft 365, either Google or Microsoft has access to your documents and emails. 

Why include vendor access? This goes back to our previous point of security-related reasons to have a vendor list. If a vendor experiences a breach, it’s important to know whether your client data could be affected. 

4 - Security risk

We typically recommend risk rating your vendors on a scale of low to high. How do you come up with the rating? Our clients undergo third-party vendor risk management each year, which consists of evaluating the security posture of their vendors. During that review process, it becomes clear which vendors are a higher security risk, either based on their lack of security measures, or their level of access to your systems and data.

For example, your IT service provider most likely has full access to your systems, and even after passing a background check, may still have a  high security risk rating. Another vendor, like DocuSign, may have a medium security risk rating because it has access to organization and client data, but is password and MFA protected. 

Being able to quickly see a vendor’s name and their security risk will help you make business decisions – if a vendor has a high security risk and there is some sort of incident (service or security-related), you may choose to search for a new vendor.

Depending on your industry, your clients and prospective clients may want to see your vendor list too, and seeing the security risk rating provides a clearer picture of your vendors and your company's attitude towards security.

5 - MFA enabled

If you are using any sort of cloud service, you need to use MFA (multi-factor authentication). It’s one of the best and easiest (and free) ways of protecting your systems and data. 

6 - Type of MFA

Just as important as using MFA is the type of MFA. Note whether the type of MFA is email, SMS, mobile app or other. Any MFA is better than no MFA, but the best and most secure would be mobile app. How many times can we type MFA in one paragraph? How about one more: MFA.

7 - Other security measures

In this column, note any other security measures worth mentioning. For example, programs like DocuSign and LastPass password manager are password protected (plus MFA of course). For your IT service provider or cleaning service, you may want to note that they passed a background check.

8 - Contract, to include Start and End Dates

Do you have a contract with this vendor? For software programs like DocuSign, you may not have an actual signed contract, but usually there is a service agreement that can be found on their website. For your IT service provider? We hope you have a contract! Additionally, contract dates are a great way to monitor active and retired services from your vendors.

9 - Termination

You may think of your vendor list as a list of currently used vendors,but it’s important to include former vendors as well. It will save you time down the road if you decide to look at alternate vendors, and it’s important to document when the relationship was terminated.

Creating your Vendor List Template

Here’s the list of headings to include in your vendor list. Just plug them into your favorite spreadsheet software. We won’t make you sign up with your email address - just copy/paste and get your vendor list going:

Vendor Name

Contact Information

Description of Service

Description of Vendor Access (Network/Systems/Data)

Security Risk Rating 

MFA Enabled?

Type of MFA (Email/SMS/Mobile App/Other)

Other Security Measures

Contract? And Contract Details (ex. Start and End Dates)

Vendor Status (ex. Active, Inactive)

Vendor Risk Management Best Practices: Have a plan and follow it

Practice #2 - Have a plan and follow it

We go over this in detail in our article Third-Party Vendor Risk Management: A How-To Guide. But basically these are the steps to follow to start your third-party vendor risk management process:

  1. List your vendors (see Best Practice #1 above for more information)
  2. Find or request information (SOC2 audit reports, copies of information security policies, etc.)
  3. Review documents and follow up with questions
  4. Respond to security risks
  5. Schedule security reviews for the following year

You can learn more about each step in our How-To Guide

Practice #3 - DIY vs. Outsource Review (or maybe both?)

You absolutely can perform the review of your third-party vendors yourself.

When we perform these reviews for clients, here’s how we approach it:

  1. For large vendors, we ask to see a copy of their SOC2.  The SOC2 is a report produced by a CPA firm who comes into the company and tests that they’re actually following their information security policy.  The reports are huge, but we tend to focus on the “findings” section.  
  2. For smaller vendors, we send them a survey about their information security policies and procedures, and ask for a copy of their documents.

We’ll review each vendor one-by-one, and write up notes about what we found.  If there’s anything that’s concerning in the vendor’s third party vendor report, then we talk to the vendor salesperson to ask when the issue will be addressed.  If it’s serious enough, we would consider recommending that you look for a new vendor.

All that said, you might decide you’d rather outsource this.  This is not meant to be a sales pitch – but this is a service we provide as part of our Virtual CISO program. Having a dedicated vendor risk management team ensures that standards are met, communication is consistent, and experts are able to provide clarity.

If your business is smaller and doesn't have the budget for an outside team, or if your business is larger and you want to handle this in-house, you can! But the important thing is to make sure a dedicated process is followed at least annually to ensure cybersecurity risks are minified.

Practice #4 - Consider Fourth-Party Vendors

What are fourth-party vendors? That’s right - they are your vendors’ vendors, and they can absolutely create risk into your business. 

It’s important to know who your vendors do business with and whether any of your sensitive information is being shared/stored with them. Typically we recommend having verbiage in your vendor contracts that specifies the vendor agrees to review the security of THEIR vendors.

Summary

Vendor risk management best practices can be simplified down to this: make a thorough, security-focused vendor list, create and follow a third-party vendor risk management plan, create or use a specialized team, and don’t forget about your fourth-party vendors. 

Following these best practices can help you better understand your risk, and can help you make decisions when choosing to renew or cancel a contract with a vendor. 

As part of our Virtual CISO service, we help our clients with third-party vendor risk management, vetting IT service providers, and other important vendor decisions. We work with companies in highly regulated industries that need to comply with regulations like HIPAA, CMMC, NIST 800-171, SEC, NYDFS, IRS, and FFIEC.

References

Joyce, A. (2017). Target Settles 2013 Hacked Customer Data Breach For $18.5 Million. Retrieved from https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031  

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved