Understanding how your third-party vendors handle personally identifiable information (PII) and other types of privacy data will forever alter the way your organization does business with them. With initiatives like the Global Data Protection Regulation (GDPR) taking hold for organizations who do business in the European Union (EU), organizations worldwide no longer have the ability to depend on vendors who do not practice the highest levels of data security. The risk is too high to use third-party vendors who do not routinely maintain compliance with standards by Payment Card Industry (PCI), GDPR and many other risk-mitigating compliance initiatives. Why?
A third-party vendor with which you share sensitive data that fails at compliance and endures a data breach, implicates your organization as well, and subjects you to significant fines associated with exposing customer PII and PCI data. The EU is leading the charge for protecting personal information, but the United States and other countries are not far behind. A vendor risk management assessment a good place to start when defining third-party compliance. How are your third-party vendors handling sensitive data sets? Will their lack of security controls put your organization at risk in a data breach? How might vendor’s security—or lack of—affect your business continuity?
Vendor Risk Assessments Are Your New Best Friend
Ultimately, an organization’s board of directors and senior management are accountable for managing all actions conducted through third-party vendors. However, as CSO or CIO, your long-term job security depends on minimizing all the risks to your organization’s data troves. A vendor risk assessment can be a strategic starting point that develops into a vendor management program to codify consistent and predictable levels of compliance that your vendors need to follow. Start with identifying any risks associated with third-party vendors by comparing their security policies with how sensitive data is handled within your organization. Is it a match, or are there gaps? You can use vendor risk assessment questionnaires to determine if your vendors are practicing the highest levels of data security, management, and stewardship. The level of granularity and function for this assessment will ultimately come down to the data security platform your organization uses, whether it be on-premise or cloud.
Where to Start with IT Vendor Risk Management
Your initial scoping of the vendor will help determine your level of risk assessment to be performed. From a high-level perspective, what services will the vendor provide, and will the services be ongoing or short-term? Define what business process or processes the vendor will support, as well as what types of data will be shared, processed, or stored by the vendor. Depending on the data type, there can be additional compliance for your organization. It is also important to understand what existing systems, products, or services this vendor will integrate with, but most importantly to determine if the vendor will provide any services directly to your customers? Obviously, the level of detail for your assessment is contingent on the initial scope that your compliance team defines for each vendor your organization may or may not utilize.
Developing Your Own Vendor Risk Management Assessment Questionnaire
There are generally, but not limited to, eight main areas to inquire about for your third-party vendor risk assessment:
- Application security
- Access control
- Information retained by service provider
- Data protection
- Audit & compliance
- Third-party management & supply chain security
- Business continuity
- Legal and insurance
Risk assessment questions could cover:
- Where is the vendor ingesting the data?
- What sensitive data sets are being collected?
- Where is the sensitive data being stored?
- How is the data being processed?
- Does data sovereignty apply to any of the data sets?
- Who has access to the sensitive data sets?
- Is data at rest encrypted?
- Are logs actively monitored and potential issues investigated?
Compliance is the Foundation of Data Security and Risk Management
Your third-party vendors should be performing their own level of audit and compliance, starting with their own vendor risk assessment and control review. This assessment could be performed by internal staff or a third-party, and it includes understanding if they are complying with all international data protection regulations. If your vendor is accepting or processing payments—especially on your behalf—in any capacity, then PCI compliance should be the starting point. An ISO 27001 certification and SOC2 are both good indications of an organization’s commitment to have their controls audited by a 3rd party. These reports can give specific insight into the current controls the organization has in place, and how they are following those controls.
Risk Assessment Must be Comprehensive and Ongoing
A comprehensive vendor risk assessment starts with an internal vendor management program. A vendor management program requires support and budget from management and the board to guarantee that your entire organization will “buy in.” This ongoing management program acts as a gatekeeper to ensure you are not contracting with vendors who will put your organization at risk with inappropriate security practices. It should also force both your vendors and your organization to perform annual vendor reviews to define any critical risks. These risks extend to any critical subcontractors who can put your third-party vendors—and thus you—at risk.
Why Organizations Push Back on Vendor Risk Assessments
Undoubtedly, you will encounter resistance and blow-back from your internal business units—change always fosters friction. Assessing the risk that third-party data business partners expose your organization to will generate some push back from your internal fiefdoms for two main reasons: business continuity and liability. Both of these affect your legal posture. Operational teams will worry if the additional risk assessment requirements fit into current business processes or cause disruptions? Your legal team will question if failure to ensure that all the linked data processing partners and sub-contractors take action to prevent exposing personal information makes your organization liable should a breach occur in any of the partner’s business. Assuaging these fears is one of the reasons to maintain a strict vendor risk management regime.
One goal of vendor risk management should be to determine if the vendors you share data with have an actual Business Continuity Plan (BCP). This will entail ensuring that the vendor:
- Has consistent data replication to another site in case of an outage at one site?
- Will their source code be held with an escrow service in lieu of any catastrophic business failure events?
- The platform is scalable to meet your organization’s growth without disruptive modifications or price increases.
- Data must consistently be backed up and maintained in secure off-premise vaults.
You can define business continuity and liability with clearly structured SLA’s (Service Level Agreements). This will help clearly define RPO (Recovery Point Objective) and RTO (Recovery Time Objective.) In layman's terms, how long can your organization operate without access to the specific service or application? Organizations have to plan to recover business-critical information if their vendor goes out of business or upon contract termination.
Vendor risk assessment is here to stay, and the challenge (and headache) of the process is part of it. Like any compliance-based initiatives, your greater good is found in risk avoidance and reduction. At the end of the day, you make the decision on which vendors your organization should use, so a more granular level of how they do what they do is required to minimize your liability. There are many options for vendor risk management currently available on the market today, but it’s important that you start today, not after a vendor has a serious breach. Take the time to make sure your third-party vendors are securing, processing, and storing your data in a safe and compliant fashion.