<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

What You Need To Know About Vendor Compliance

Melissa Stevens | December 12, 2017

Compliance, at its core, is a legal term. It’s the “act or process of doing what you have been asked or ordered to do.” But creating a successful vendor compliance program isn’t as simple as asking third parties to comply with your security requests.

The vendor compliance checklist below highlights three things you must do if you want to ensure your vendors meet (or exceed) your security expectations.

1. All vendor security requests and obligations must be contractual.

12 Cybersecurity Metrics

Simply telling your vendor that you care about cybersecurity—or asking them to describe the controls they have in place to protect your data—is useless. If you want a strong vendor compliance program, spell out all of your expectations in your legally-binding vendor contract.

This step cannot be skipped over. A data breach through a third party is bad enough—but discovering that your contractual agreement with the vendor who was breached didn’t clearly spell out security expectations is exponentially worse. The best time to define these contractual obligations is at the beginning of a vendor relationship, but you can—and should—revisit current vendor contracts to be sure they clarify your expectations.

Be specific when you create these legal documents. Telling your vendors they must implement “a reasonable amount of security measures” is meaningless. What is reasonable? Who defines it—you or your vendor? Specific and actionable language will protect you from legal scrutiny and liability.

2. Require your vendors to be aligned with frameworks and obtain certifications you feel strongly about.

You may choose for all your third parties to be compliant with ISO 27001, or align with the NIST risk management framework. If so, you’ll need to write this plainly in your contract. Keep in mind that requirements like these will likely impact your vendors’ budgets, as many will need to hire a consultant to help build a security program that satisfies the controls.

3. Require your vendors to notify you when they experience a security incident.

Cybersecurity best practices dictate that you create a procedure for your third parties to notify you in an event of an incident that affects their organization and/or your data. Usually it’s a written procedure developed by an outside organization outlining who the third party is to contact if a security breach does occur. The first party is responsible for ensuring the vendor has the right procedures in place, accurate contact information, and a timeline of when that communication will happen.

The steps above are helpful when creating your vendor compliance plan—but is that really what you’re after?

Requiring vendors to meet certain security standards is a good step to take, but having your vendors check off a box doesn’t mean they’re properly securing your data. And even if your vendors comply with your policies, security incidents can still occur on their network, to your data.

Your ultimate focus should be on vendor risk management (VRM). While compliance is a solid short-term goal, vendor risk management is an ongoing practice. When you manage your vendors, you can set goals and conditions, which is less about labeling them “compliant” and more about setting specific performance standards that reflect your organization’s risk appetite. In other words, what are you willing to accept as an organization, and what are you not? This is far more fluid than a set of compliance standards.

For example, if you have a non-compliant vendor who provides a critical service for your organization, you’ll need your VRM program to help them improve in important areas. For this reason, businesses with strong vendor compliance programs as well as strong vendor risk management programs have a much more advanced approach to handling vendor issues. To that end, we’ve listed below six things your company can begin doing in order to build up your VRM program.

6 Ways To Strengthen Your Vendor Risk Management Program

1. Focus on your most critical vendors.

You can’t simply lump all your third parties into one category and decide that they’re all of equal importance. It’s paramount to identify and focus on the vendors who have either direct access to your corporate network or access to your sensitive data. You’ll want to know in detail who those vendors are, what they have access to, how they’re connected to you, and how much sensitive data they handle. Then you can add specific contractual language to those agreements that will help enforce your compliance standards.

2. Set thresholds and standards for lower-tier vendors.

Your main focus should be on critical vendors, but if your organization has a mature vendor compliance program you’ll probably also be paying some time and attention to vendors who may not pose an immediate risk.

For instance, your office supplies delivery service or hired cleaning crew may not have direct access to your company’s data, but you’ll want to know if they have experienced any significant security issues. And while they may not have access to your network or share sensitive data, you likely provide them with payment information—so if they are breached and have your business credit card on file, that data could be compromised. In summary, if you’re not focusing on lower-tier vendors, there is some possibility for hidden risk in your supply chain.

For these lower-tier vendors, it’s important to have a monitoring and alert system in place, like Security Ratings, so you can find out automatically of any security change that may impact your organization.

3. Assess your vendors’ security measures.

Managing your vendor’s risk typically begins with a questionnaire that asks about their high-level security practices. It’s good to have this documentation, but the information is subjective. Your vendors might be telling you what they believe to be true, but what if they’re mistaken?

Penetration tests and vulnerability scans help you understand whether your vendor is being diligent in their security efforts—but these methods only evaluate a moment in time. They won’t provide an accurate depiction of what goes on in your vendor’s organization day-by-day, which is where continuous monitoring (step 4) comes in.

4. Monitor your vendors to ensure they’re both compliant and continuously performing at an acceptable standard.

You can go through all of the motions of ensuring your organization’s data and network are secure—but how do you truly ensure that your third parties are following through on their security obligations? Continuous monitoring solutions are the best way to ensure a third party’s security posture mirrors how they’ve described it. Additionally, it allows you to easily view new risks or vulnerabilities that could pose a threat to their network.

5. Examine your aggregate risk levels.

A lot of vendor compliance is focused on individual vendor compliance, but it also helps to look across all your vendors and examine aggregate risk. If you can see how all your vendors are doing in specific areas, you’ll get a better idea of the kinds of standards you should set for your partner businesses.

For example, you could require all your critical vendors to use DKIM and SPF to bolster their email security. If you then look at all the vendors who implement these practices and compare them to those who do not, you’ll be able to determine whether that standard or policy is realistic or attainable moving forward.

6. Coordinate your teams internally.

Any solid risk or compliance program brings together multiple teams from several departments, including procurement, IT and security, finance, and legal. This coordination helps get every pertinent department in sync with your vendor compliance program; if you have one particular vendor falling short in an area, other departments should be aware so they can be on the lookout for red flags.

The biggest challenge here is helping other business units understand traditional detailed IT compliance reports. Be sure your metrics and reports are simple, clear, and easy to digest visually. If you’re able to take a complex topic and put it in terms that all participants can comprehend, it will help get everyone on the same page.

Want to better understand your vendors’ cybersecurity posture?

This guide is a great place to start. After reading it, you’ll better understand the three ways you (or your vendors) could experience a security incident, and 12 actionable cybersecurity metrics you can put in place today. Download it below!

Download Guide: 12

Suggested Posts

What Are Security Ratings?

Security ratings are valuable, objective indicators of an organization’s security performance, especially when you’re looking to mitigate third-party risk, assess the cybersecurity posture of a potential acquisition, or benchmark...

READ MORE »

Getting Started With Vendor Risk Management Assessments for IT

Mitigating risk is an essential business function that should cover obvious domains — like financial risk — but also include reputational, strategic, and operational risks.

READ MORE »

How Long Does It Take To Assess Third Party Cybersecurity Posture?

With outsourcing continuing to rise, third party cyber risk management has become a pressing issue for organizations worldwide. Yet, many firms across the globe are approaching this challenge differently.

READ MORE »

Subscribe to get security news and updates in your inbox.