Professional Documents
Culture Documents
Topics Covered
Why conduct a vendor audit?
Organizing the internal processes
Identifying who needs to be
involved
Get information about your
vendors
Survey and assess the vendors
Monitor and remediate
Business Processes
Employee processes (Payroll, 401k)
Customer Service
IT processes
Cloud computing
Backup/recovery
Help Desk
surrounding data
Make sure it covers
IT
Field offices
Employee Awareness
Purchasing
Get 'right to audit' in contract
Spell out obligations
Proactive (not just penalties for failure)
Prescribe necessary precautions
IT
Information classification needs to be
emphasized
Heightened awareness required, particularly
involving data repositories
Strong change request process is very useful
Need heightened awareness involving
encryption
Direct access to your network heightens the risk
as it potentially exposes ALL of your data!!!
Field Offices
What is their ability to contract
independently
How de-centralized is IT?
Employee Awareness
Employees need to be aware of
data sensitivity
Reminder that email attachments
(spreadsheets, cut/paste lists, etc.)
are covered
Provide a point of contact for
questions
Periodic reminders
Data classification
Sensitive data needs to be
identified
Remember combinations of data
Don't send unnecessary data, e.g.
account numbers
Discussion Questions
1. Should you hold your vendors to the
same information security specs as your
own?
2. Do you hold your vendors to the same
information security specs as your own?
3. What would it take to satisfy you of the
vendors security over information?
4. What is your organization doing to
satisfy themselves with regard to vendor
security?
Assessment Process
1.
2.
3.
4.
5.
6.
Pre-Survey Steps
Does the vendor know what is expected
in detail?
Survey Process
Survey Considerations
Once high risks vendors are completed
are you comfortable with results? If not,
keep going until you begin to feel
comfortable
Evaluate risks against questionnaire
score
High risk data/processes necessitate high
vendor score
Determine if additional info, including
site visit, is needed
On-site inspections?
High risk vendors may require onsite inspection
High risk implies sensitive data
and/or questionable safeguards
Set up a schedule based on risk
assessment. The higher the risk,
the greater the frequency.
Might be a good opportunity for
employing consultants whose
presence overlaps your vendors
Vendor - Background
Info
Vendor - Background
(contd)
Vendor Oversight
Regulatory or other Governance the
vendor must follow (HIPAA, PCI,
banking, SOX, SAS70, etc.)
Is your data/processes covered by those
compliance processes? If so, can those
regulatory bodies affect your
organization?
Employee policies (confidentiality
agreements, background checks,
termination process within systems,
etc.)
Vendor Process
Inventory
Provide a specific list of servers,
databases, and networks where
data will reside or be processed
Provide information on each
(location, operating systems, age,
etc.)
Vendor - Security
Questions
Describe security policies
Provide data classification grid
How does your vendors
classification match your data
classification scheme
Technical/logical system controls
Handling 3 Parties
rd
Vendor Documentation
Any documentation from third party
reviews (PCI, SAS-70, BITS)
Organization chart (especially
showing security responsibility and
hierarchy)
Outline or listing of security policies
and procedures in place (an index
or table of contents, etc.)
Process documentation or results of
any security risk assessment
Managing Deficiencies
Prioritize the deficiencies
Ensure that purchasing and
business unit is aware of vendor
deficiencies and potential impact
Work with vendor and purchasing to
develop a reasonable timeline to fix
If necessary, begin enforcing
contractual penalties
Call to Action
Assess the process for managing
information flow to outside parties
Identify the risks for data residing
outside your direct control
Evaluate external organizations
ability to secure your data
More Information
Shared Assessments
http://sharedassessments.org/
Agreed Upon Procedures
Standard Info Gathering
Questionnaire
Low/high risk questionnaire
Business Continuity questionnaire
Privacy Continuity questionnaire