Vendor Management - A Key Component in Risk Management - WST

When it comes to your Information Security Program (ISP), you own it! However, not everything in your ISP is within your direct control. That is why good vendor management and due diligence is a key component of your security and risk management posture.

What does good vendor management include? Let us start with open lines of communication with your critical vendors (for instance, a core banking provider) to validate what they are doing in response to increased risk. A vendor management program covers due diligence (e.g., financial assessment, vendor internal risk management and mitigation, contractual requirements), and always starts by assessing risk during vendor selection and includes continuous monitoring once they are part of your IT environment. Although vendor management can be challenging, here are a few things that are considered fundamental to an effective program.

Have a formal process to define what information a vendor will be accessing and/or handling, and how you will vet and select that vendor. Obviously, standards will be different between an email hosting company and a company changing your lightbulbs.

Proper vendor management includes a risk assessment. Each vendor should get a score based on the sensitivity of the data to which they will have access, the level of access required, organizational stability, security controls, etc. This should be reviewed and updated regularly.

Vendor relationships change. A company that did one thing for you in the past may now have expanded access or play a larger role in the day-to-day operations of your institution. Make sure your vendor management processes have triggers that can initiate a reassessment of the risk level if the relationship expands or changes.

Make sure your incident response process includes handling a breach at a third-party. How and when will you get information from them, and how will you communicate with your customers? You do not want to “wing it” in the event your vendor has a breach. Have a plan and review it at least annually.

Provide an update of your vendor management program to your board of directors annually.

To understand more about the FFIEC guidelines on good vendor management, refer to the following reference: https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic20-oversight-of-third-party-service-providers.aspx

Authored by: Renee Keffer, CBISO