How do you know if your vendors are doing their due diligence to protect your data? Supply chain security is a critical component of your own security and compliance efforts, but a lot of companies have no idea how to determine if their vendors are safe partners. How do you even begin to audit your vendors for compliance?
TCT has been swimming in the deep waters of security and compliance for years. Here’s the four-step process we recommend for your compliance team to audit your vendors.
Related content: Build a Winning Team for Compliance and Auditing
1) Compile a List of Vendors
The very first thing you need to do to assess the security of your vendors is to go throughout your organization and make sure you have an accurate list of all your vendors. Chances are good that no single department has a comprehensive list of your suppliers. It may be that someone in IT or HR decided on their own to use a particular vendor/system and never mentioned it outside their department.
- Go to Accounting to see who you’re paying.
- Look at your data flow diagram and find out where your data is being received from and where it’s being stored (make sure THAT’s up to date also).
- During your risk assessment process, keep your eyes open for receipts of data, storage of data and transmission of data.
Keep the vendor list centrally accessible, and keep it maintained. Many organizations have subset lists of vendors for different purposes, so it’s an opportunity to consolidate and track where this information lives in the organization. Review and update this list annually.
2) Flag High-Risk Vendors
Once you have a complete list of vendors, flag the high-risk suppliers. These are the vendors you need to audit. To make that determination, answer the following questions:
- What services does the vendor provide?
- What data do they store?
- How sensitive is the information they have access to?
- What kind of access do they have (physical, passwords, etc.)?
For example, the office supply company probably isn’t as critical as your hosting provider. Your outsourced marketing company, which has customer information, may have some sensitive information. The custodial services you contract has direct physical access throughout your facility.
This exercise will give you a shortlist of vendors that you will need to audit.
3) Request Compliance Assessment Results
Many of the vendors on your shortlist are probably undergoing compliance audits with an assessment firm. If so, you can request a copy of their publicly facing results. That makes your job a lot easier, but it doesn’t let you off the hook.
When you receive a compliance assessment report, or an attestation of compliance (AOC), don’t just put it on a shelf and forget it. Review the document closely. I can’t tell you the number times I’ve seen a vendor provide irrelevant documentation that claims they’re compliant. In one case, it was a telecommunications provider that was responsible for the security of electronic voice transmissions. When I looked at the AOC, the description of scope covered their process for client inquiries. What does that have to do with communication security? This kind of thing is more common than you might expect.
As an organization, you have a responsibility to your company and your customers, to go through this process and to do it appropriately. That means dotting your Is and crossing your Ts.
The minute a vendor responds in a way that doesn’t align with expectations, they should be on your radar. Start asking more questions and digging into details. If they apologize and send you exactly what you need, it may have simply been an honest mistake. But if they drag their feet and don’t make it easy to get what you ask for, it may be time to find another company to work with. There should be good transparency between you and your vendors, given the nature of the information your vendor may be responsible for. You want to make sure they’re taking that responsibility seriously.
4) Dig into the Details
If your vendor hasn’t submitted to a third-party audit, or you’re not getting the AOC you asked for, you’ll need to start asking deeper questions. Look at the services the vendor provides. This will involve doing some information collection, and conducting discussions and interviews with them.
Here are some guiding questions to ask:
- What exactly is the vendor doing for security/compliance?
- How are they doing it?
- What compliance standard did they go after? PCI has very specific requirements. ISO and SOC are fairly specific. HIPAA is very unspecific in terms of guidance. If an organization is HIPAA-compliant, that could mean virtually anything. So you need to look closely at what they actually do as a HIPAA-compliant organization.
- Are they compliant with all of the standard’s requirements, or a subset of them? Which ones did they not implement, and what was their rationale?
Most importantly, if you don’t understand you’re asking about, you’ll struggle to evaluate another organization’s stance on their security. If you’re going to take this step, make sure you have someone involved who knows what they’re doing.
Be careful that you don’t ask for items that you don’t have any right to review, such as detailed penetration testing reports or detailed results of risk assessments. (Likewise, none of your customers has the right to demand that kind of information from you.) However, there’s often a middle ground that you can agree to, such as written confirmation about the approach that your vendor takes towards penetration testing. Ask questions such as these:
- Once they get the results, what do they do?
- How do they handle the outputs?
- Who does the penetration testing, and what is their approach to testing?
- How often are these being performed?
- When was the last one performed?
- Who performed the risk assessment/penetration test last time?
Need Extra Help?
If you don’t have someone on your team who is well-versed and knows what they’re looking at, what do you do? You have two options. You could leverage a third party to assist with the assessment process, or you could only hire vendors that undergo a thorough, vetted third-party audit.
TCT can come alongside you in this process. We have relationships with many vendors, and we can provide recommendations for organizations that have their act together. Our consulting services can also help you navigate your vendor management process.
Make Vendor Management a Habit
If you don’t already have a policy for hiring new vendors, develop one now. Your vendor management process should be done annually, because you need to be sure that your vendors are continuing to maintain their compliance. This isn’t a one-and-done project.
Need help with vendor management? We can work with you to figure out where you are, what you need and how to get from Point A to Point Z. Start a conversation with us today!