Think about your vendors. Each one presents a unique risk to you. Whether it’s a risk to information security or the availability of your company’s product or service, all vendor services come with a specific level of risk.
In the current technological environment, vendors are not only helpful, but they are required to run certain aspects of many businesses. Most organizations keep tabs on their vendors at the beginning of the relationship, having them sign a nondisclosure agreement or some type of contract. Those organizations might also check in on their vendors’ security postures once a year for compliance purposes.
Companies who do this are probably checking off the boxes to keep the auditors happy—but, if all they’re doing is checking boxes, they’re not actually managing the risk posed by their vendors. So, how do you, as a Board of Directors, appropriately oversee vendor risk? Here are three key things you can consider asking management about:
1. Do we understand who all our vendors are?
This seems simplistic, but the list of vendors is likely larger than you’d expect. It’s worth the time to look at the contract management system or Accounts Payable to define a concrete list of vendors.
An important note here is that risk does not stop at your vendor. Thanks to HIPAA’s Omnibus Rule passed in 2013, your vendor risk management program must extend to the entire chain of vendors. That means your vendors’ vendors—and so on, all the way down the chain.
2. Do we have a risk ranking for each of our vendors?
Not all vendors pose the same level of risk. Your waste management company probably doesn’t introduce the same level of risk to your security or availability as your cloud service provider. Management should be asking questions that help determine the level of risk for each vendor, like:
- What type of data does this vendor handle? Is it sensitive?
- How much data do they handle on a daily, weekly, monthly, etc. basis?
- How many people interact with the data?
- Is this vendor critical to the delivery of our services to our own clients?
The larger a role a vendor plays in your business, the higher the level of risk they introduce. Remember, don’t just look at risk solely from a security perspective. If a vendor doesn’t handle much sensitive data, but they are critical to the service you provide to clients—that vendor might still receive a high risk ranking.
3. What controls have we implemented for our vendors?
As mentioned earlier, most companies are good at “checking off boxes” and signing the appropriate paperwork during the beginning of the relationship. But, if you want a truly comprehensive vendor risk management program, you must implement controls throughout the entire business lifecycle.
Implement controls that address the risks identified in Step 2. For example, if you have a cloud service provider who stores a significant amount of data necessary for normal business processes, you could make sure you’re performing backups regularly and that you can access those backups independent of that service provider, if necessary. You may not be able to eliminate certain risks entirely, but you should have controls in place to mitigate them to a reasonable extent.
Your vendors are integral to your business processes. It’s important that you not only start these relationships on the right foot, but that you maintain them healthily throughout the entire business lifecycle. Your oversight on this critical business process will help the company manage its risks.
Vendor risk management can be a daunting task. If you’d like further guidance on how to implement appropriate controls to manage risks introduced by your vendors, click here to contact us and learn how LBMC Information Security can help.
This blog is the sixth in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.