It's your vendor's job to sell to you. When they fail to do so, they are failing at their job. Though you may have an established rapport with your vendor, their job provides for their own basic needs and those of their family. Each of those priorities is of greater importance than you.
Factors in Choosing a Vendor
Your vendor may take you to lunch or buy you drinks, but you are a means to an end. Though your vendor's professionalism, character and commitment to their field may often align with your well-being and that of your business; it cannot also be fairly assumed that such a thing is perpetual or even all together common.
What is common is that vulnerabilities in vendor technological infrastructure or breakdowns in established processes can put your business and its sensitive information at risk.
For example, vendor assurances of having achieved or otherwise adopted multiple industry certifications and standards, may lead one top resume that customer information security concerns are few.
However, while vendor ability to attain such recognition reflects well on their own personnel and established controls, it does not necessarily extend itself to their customer environments or data. Rather, the credential itself is entirely likely to prove dependent on the scope of review to which customer environments may or may not have been included.
Though vendor credentials, experience and references may weigh heavily in your selection, marketing and sales materials should not. Rather the value of the service provided should be duly considered against the risk which it presents.
As such, when engaging a vendor who will be permitted remote access to your confidential application server and database contents, a prerequisite that they be permitted a generic user account to be shared among their system administrators who must also be permitted access at will; presents a healthy amount of risk and, in quite a few compliance scenarios, also a violation.
Vendor assurances that all of their other customer do the same without issue offered in tandem to mention of their prized certifications should do little but prove suspect.
Similarly, when vendor service offerings tout the strength of data security and contractual commitments include confidentiality statements concerning sensitive and proprietary information, requirement for their approval of critical operating system patches prior to deployment should be viewed as conflicting.
Truthfully, vendors whom readily desire to abide by customer information security policies when providing service or establishing connection to customer networks are the ones who should be favored. Further, vendors who prove transparent and readily available when engaged to support customer compliance or risk assessment efforts should also be well considered.
Nonetheless, sorting the good from the bad means that someone has to ask the tough questions.The art of third-party risk assessments may at times prove uncomfortable, but the results are easily in your organization’s best interest and that of your customers. Here are a few good items to consider as you get started:
- What due diligence do you perform before entering into new vendor relationships?
- Does your vendor adhere to your organizational information security policy? Have they acknowledged such electronically or in writing?
- Is there a written agreement established wherein your vendor commits to protecting your sensitive data and systems?
- Is your vendor provided access to organizational systems or data? What risks does such access pose?
- When was your last assessment of the risk that your vendor relationship poses to your business and its sensitive information?
Given answers to such questions, direction may more readily be established towards the development and implementation of a formal third-party risk assessment process. While, dependent on industry and regulatory compliance requirements as well as the sensitivity of the relationship, such efforts may begin with as little as a checklist and a phone call, programmatic growth towards on-site assessment and evidential review may also prove time worthy.
In any event, maintaining consolidated record of completed findings and periodic re-assessment efforts better enables holistic understanding of the nature of organizational third-party relationships and the risk which they pose.
Image courtesy of holbox (Shutterstock)
Editor's Note: Want to read more from Peter? Check out Successful Risk Management Starts Small
About the Author
Peter Spier is Managing Director PCI and Risk Assurance at Fortrex Technologies based in Frederick, Maryland; President of the ISACA Western New York Chapter, and an adjunct instructor at the University of Maryland University College.