Professional Documents
Culture Documents
Topics Covered
Why conduct a vendor audit? Organizing the internal processes Identifying who needs to be involved Get information about your vendors Survey and assess the vendors Monitor and remediate
Business Processes
Employee processes (Payroll, 401k) Customer Service
IT processes
Cloud computing Backup/recovery Help Desk
A hack on your vendor may leave your organization as exposed as if you had been hacked.
Other
rd 3
Party Reviews?
You may be able to use results of other 3rd party reviews to reduce the burden of 1st party inspection. However, your organization should perform its own risk assessment! Shared Assessments new organization which supports a standardized set of assessment criteria
IT
Field offices
Employee Awareness
Purchasing
Get 'right to audit' in contract Spell out obligations
Proactive (not just penalties for failure) Prescribe necessary precautions
Make the obligations part of the solicitation and scoring Include claw-back provisions in the contract for expenses incurred as a result a breach.
IT
Information classification needs to be emphasized Heightened awareness required, particularly involving data repositories Strong change request process is very useful Need heightened awareness involving encryption Direct access to your network heightens
Field Offices
What is their ability to contract independently How de-centralized is IT?
Employee Awareness
Employees need to be aware of data sensitivity Reminder that email attachments (spreadsheets, cut/paste lists, etc.) are covered Provide a point of contact for questions Periodic reminders
Data classification
Sensitive data needs to be identified Remember combinations of data Don't send unnecessary data, e.g. account numbers
Discussion Questions
1. Should you hold your vendors to the same information security specs as your own? 2. Do you hold your vendors to the same information security specs as your own? 3. What would it take to satisfy you of the vendors security over information? 4. What is your organization doing to satisfy themselves with regard to
Assessment Process
1. 2. 3. 4. 5. 6. Rank the risk Identify the vendors (all or some?) Survey vendors Score the survey Identify weaknesses Decide on remediation process
Pre-Survey Steps
Does the vendor know what is expected in detail? Do you have a good contact at the vendor, if permitted? What sort of tracking system do you need? Who is responsible for devising, administering and scoring the survey?
Survey Process
Develop the survey Devise a scoring system (Keep it simple!) Design the questions to be gradable Have all vendors complete a standard questionnaire. Review and score questionnaire use same criteria. Use 'skepticism' when grading Evaluate by predetermined score
Survey Considerations
Once high risks vendors are completed are you comfortable with results? If not, keep going until you begin to feel comfortable
On-site inspections?
High risk vendors may require on-site inspection High risk implies sensitive data and/or questionable safeguards Set up a schedule based on risk assessment. The higher the risk, the greater the frequency. Might be a good opportunity for employing consultants whose presence overlaps your vendors
Vendor Oversight
Regulatory or other Governance the vendor must follow (HIPAA, PCI, banking, SOX, SAS70, etc.) Is your data/processes covered by those compliance processes? If so, can those regulatory bodies affect your organization? Employee policies (confidentiality agreements, background checks, termination process within systems, etc.)
Handling
rd 3
Parties
What processes are further subcontracted to a 3rd party? NOTE: same assessment process needs to be followed for the 3rd party What are your rights with regards to 3rd party inspections or ability to have primary vendor inspect?
Vendor Documentation
Any documentation from third party reviews (PCI, SAS-70, BITS) Organization chart (especially showing security responsibility and hierarchy) Outline or listing of security policies and procedures in place (an index or table of contents, etc.) Process documentation or results of any security risk assessment processes
Managing Deficiencies
Prioritize the deficiencies Ensure that purchasing and business unit is aware of vendor deficiencies and potential impact Work with vendor and purchasing to develop a reasonable timeline to fix If necessary, begin enforcing contractual penalties
Call to Action
Assess the process for managing information flow to outside parties Identify the risks for data residing outside your direct control Evaluate external organizations ability to secure your data
More Information
Shared Assessments http://sharedassessments.org/ Agreed Upon Procedures Standard Info Gathering Questionnaire Low/high risk questionnaire Business Continuity questionnaire Privacy Continuity questionnaire