It’s impossible to know which cybercriminals may target your organization and why. That’s why it’s a necessary evil in the cybersecurity industry to trust nobody and nothing. Part of conducting business in the digital age is being constantly vigilant against the unknown adversary who has set their sights on your intellectual property and assets. But what about the risk to your organization by those you think you can trust? Say, an outside agency you’re considering a partnership with. Or one you have an established relationship with. The simple fact is all vendors pose a certain level of risk to your own cybersecurity and data privacy landscape — and not for nefarious reasons. Sometimes their internal controls aren’t nearly as stringent as yours. Other times, agreements between your organization and theirs don’t provide defined expectations for cybersecurity frameworks or data privacy compliance. When looking at potential partners or re-evaluating an existing relationship, vetting the risk they pose to your own cybersecurity and data privacy is key. Conducting a vendor data risk management audit before signing — or renewing — with a vendor saves your organization from a major incident that could’ve been easily avoided.
5 Essential Elements of a Vendor Data Risk Management AuditTaking a deep dive into potential vendors and their cybersecurity and data privacy frameworks should be a natural part of any partner-discovery process. It’s also an important part of maintaining a safe and productive relationship with existing partners. Working with an experienced vendor risk management provider gives you a thorough and unbiased evaluation of a potential vendor. What’s more, a provider can bring a structured vendor risk management program to your organization to reduce the risks of working with a third-party company. A vendor risk management assessment — whether it’s for a new or existing partner — should evaluate:
- Existing controls
- Incident response plan(s)
- Policies and procedures
- Contract and SLAs
1. Existing ControlsThe best place to start when vetting a vendor is with the basics. Simple, direct questions about their knowledge of cybersecurity and data privacy can tell you a lot. Their answers — or lack thereof — to base-level cybersecurity FAQs may be critical red flags for the future of your working relationship. Gauging a prospective partner’s knowledge of cybersecurity is no different than testing a job interviewee on the finer points of their potential responsibilities.
2. Policies and ProceduresA vendor’s policies and procedures are another window into how seriously it takes cybersecurity and data privacy. They’re also one of the strongest indicators of the level of risk they may pose to you. The absence of effective cybersecurity and data privacy protocols could leave enough of a gap to provide hackers a direct route to your network data. Strong internal policies and procedures at an organization are: Current: Cybersecurity and data privacy regulations are constantly evolving. Policies and procedures that aren’t regularly reviewed and updated are almost like having none in the first place. Enforced: Having a set of rules is one thing, but what good are they if those found breaking them are not held accountable? The carelessness of a partner’s staff member can have big implications for your organization.
3. Incident Response Plan(s)Vetting a potential partner’s policies and procedures should include a review of how it handles a network breach or lapse in data security. A system failure on their part shouldn’t mean your organization’s network is next in line for a visit by an adversary. A vendor’s incident response plan should be specific and include:
- Routine monitoring for threats
- A chain of command during an incident
- Detailed data protection and containment protocols for a breach
- Testing activities to find network weaknesses
- Defined recovery activities
4. CertificationsA prospective vendor’s existing certifications for cybersecurity and data privacy can put to rest many concerns about the risk they pose to you. Being certified means they’ve already been independently reviewed and are meeting best-practices criteria for protecting their systems and data. Cybersecurity certifications to look for:
- NIST CSF
- ISO 27001
- SOC 2 Type 2
5. The Contract & SLAsA proposed agreement between you and a vendor shouldn’t leave your organization and its data vulnerable because of a seemingly minor contract provision. The same goes for the vendor — they deserve the same level of protection as you expect from them. When reviewing a proposed agreement, dig into:
- Cybersecurity frameworks — What network security measures are required?
- Data ownership — Who owns the data you collect together or share?
- Data privacy — Which standards/regulations are musts for compliance?
- Communication — What is the level of communication expected?
- Roles — Who does what, when, and how?
- Exit clauses — When you part ways, what happens to shared data?