Do You Have a Vendor Management Program in Place?
posted Dec 10, 2018 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Understanding the cyber environment of your business’ third party vendors is crucial in this day and age. A recent study by Ponemon Institute found that 49% of businesses have no security risk evaluation of their vendors. A vendor management program can help you keep track of all your outsourced relationships and help you avoid a cyber breach. Learn more.
What is a vendor management program?
A vendor management program is an internal process that deals with the managing and planning of third party products and services. A well-maintained vendor risk management ensures that the use of third party products, IT suppliers and service providers do not disrupt or have any negative impact on your business’ performance.
Vendor management…step by step
Here are a few important steps you should take to create your vendor management program:
1. Identify and rank your vendors- Once you have a list of all your vendors, identify all vendors who have access to customer or sensitive data, as well as access to your network.
Next, you’ll want to rank your vendors according to the level of risk associated with the relationship. This will help you determine how often you need to review the vendor and how deep your due diligence research needs to go. The goal here is distinguishing those vendors who are critical to your operation from those whose loss would not be disruptive to your business.
2. Determine level of due diligence procedures required to address the risk each vendor presents. Your due diligence, in other words the research you do on a vendor, is crucial to maintaining a high level of cybersecurity. This process will help you determine what you need to do to mitigate the risks associated with outsourcing services. The process will help you determine the cybersecurity resiliency of your vendors which might include what controls they have in place, business continuity plans, incident response programs, vulnerability and more. You will also want to collect documentation from vendors, and develop a contract that requires implementation of controls you feel are necessary to protect your data.
3. Document everything! A database or spreadsheet will help you keep track of all your vendors, and help you categorize them according to their risk level. Also, you can house all documents provided by your vendors here.
4. Report your findings- You’ll want to have someone review and approve vendors based on the information you’ve put together. It’s a good idea to submit a list of critical and high risk vendors to senior leadership at least once every year.
Keep in mind that vendor management is an ongoing process, not a one and done exercise. Creating a method to consistently monitor your third party vendors and their activity is crucial!
Interested in learning more about vendor management? Contact any member of our Information Security Services Team.