counter free hit unique web
Home Company Solutions Markets Partners News and Events Client Login Knowledge Center Contact

Knowledge Center

Security Bulletins
The Perimeter EDGE

 

NewsLetter Sign Up button

What comprises a good vendor management program and what documentation I should ask my vendors to supply?

Because of increasingly complex technologies and the need for specialized knowledge and personnel, organizations are outsourcing more and more critical technology services to vendors, partners, and other third parties.  This reliance on outside vendors reduces your direct control over the services you outsource.  To ensure that you receive the support you require, it is important that you have a comprehensive vendor management program.

Developing the Program
Before entering into an outsourcing agreement, it’s important to perform the necessary due diligence to ensure that the vendor will support your overall requirements and strategic plans. This evaluation must be completed prior to executing a contract.  A critical part of this due diligence is a vendor risk analysis.  The vendor risk analysis should take into account the following issues:

  • The type of information supplied to the provider
  • The value of the information
  • The security measures employed by the provider
  • The financial condition of the provider
  • The implications of this service to the security of your information and systems. 

Once the vendor risk analysis is complete, the next step is to determine the need for ongoing evaluation.  Will the initial due diligence suffice for the life of the contract or will periodic reviews be required?  A common method for determining the frequency of the review is to create risk classification levels or tiers. Some examples of common classification tiers include:

  1. Revenue: Classification based on the amount of revenue or fees paid to the vendor on an annual basis (greater than X% of revenue, more than $50,000 per year in fees, etc.).

  2. Criticality: Classification based on the criticality of the services that are being outsourced (key business function, high availability requirements, etc.).

  3. Confidentiality: Classification based on the sensitivity and value of the information being stored with the vendor (customer information, financials, etc.).

Performing Due Diligence and Requesting Documentation
Once you have determined the structure of the program, the next key step is to identify the type of information you should request from your vendors.  The following lists the top ten topics that should be considered at a minimum when reviewing your vendor.  The amount of information required should be based on the risk classification level of your vendor. Obviously a vendor that ranks high on your risk classification should have more controls in place than a low ranked vendor.

Key topics to consider when performing due diligence on a vendor:

  1. Request a SAS70 or other proof of independent third party audits.

    A SAS70 is an independent assessment of operational controls.  Since most vendors are unlikely to allow you to bring in your own auditors to assess their internal controls, the SAS70 will be the next best thing. A SAS70 or other independent third party audit report should be a minimum requirement for any vendor that is servicing a critical function.

  2. Review financial performance for stability and longevity of a company.

    One of the main concerns when outsourcing a critical function is whether the vendor will be around long enough to service your contract.  The best way to understand the stability and longevity of a company is to evaluate the health of their financial statements.  If a vendor is unwilling to share or review financials with you, than this should be an instant red flag.  Review of the contract for key language and service level agreements.

  3. Review of the contract for key language and service level agreements.

    The following key components should be included in typical vendor contracts:
    • A nondisclosure or confidentiality agreement.
    • A clear reporting process and agreed reporting formats.
    • Measures to ensure proper notification in the event of any technology or security incidents that could affect company information or systems.
    • Measures to ensure the confidential treatment of company information.
    • Measures to ensure the availability of services in the event of a disaster/outage.
    • Measures to ensure the return or destruction of company information and assets at the end of the contract and/or termination of service.
    • The respective liabilities of the parties to the agreement.
    • The right to audit contractual responsibilities.

  4. Explore the vendor’s policy on confidentiality and handling of data

    In addition to reviewing the contract for the presence of confidentiality and data handling clauses, it is also critical to request the vendor’s internal policies.  A review of these policies will help you determine if adequate safeguards in place to protect your information.

  5. Confirm that a Disaster Recovery/Business Continuity Plan exists and has been tested. 

    All too often vendors overlook the importance of a solid disaster recovery program.  As part of your due diligence efforts, you should not only inquire about a disaster recovery/business continuity plan process, but also identify how this process addresses your outsourced services.  You may find there are additional services you need to subscribe to for disaster recovery.  You may also want to review business continuity tests performed in the past that you to ensure the availability of the services in the event of an outage.

  6. Inquire about the level of the vendor’s information security program.

    It is important to assess the depth of your vendor’s security program to identify the how your outsourced services will be protected from malicious activity.  Does the vendor have a monitoring program? Are vulnerability tests regularly performed on the environment and the outsourced platform? Do they have an incident response program?  How are you notified of breaches to the data or systems that are outsourced?  Evaluating the security program will provide you the assurance you may need to ensure your data is secure.

  7. Review SLA terms and the reporting mechanisms to measure the SLA.

    Review the vendors SLA to identify if you are comfortable with the service levels outlined.  Also, identify how you will be able to measure the SLA on an ongoing basis to determine if the vendor is meeting the contracted terms.  Does the vendor provide reports that allow you to see their performance levels?  Do they provide a feedback mechanism, such as satisfaction surveys to voice positive and/or negative feedback?

  8. Ask the vendor to provide qualifications of their personnel.

    As important as it is to understand the company’s stability, it is also significant to understand the qualifications of the people that will be delivering your service.  Request that the vendor provide you with bios of key employees including relevant certifications and experience.

  9. Perform reference checks on similar clients using the service.

    Ask the vendor to provide a list of references from clients using the services you are planning on outsourcing to measure satisfaction with the services.   You should ask for references from organizations with similar characteristics.

  10. Inquire about the type and levels of insurance your vendor holds.

    If all else fails and a disaster occurs, it is vital to understand how your vendor is protected through insurance coverage.  Make sure the vendor has adequate coverage to protect the company and their employees when disaster strikes.

Following these steps will help you get a head start in constructing a solid vendor management program that limits the risk and ensures you get the services you need from third party vendors.

Tom Neclerio, CISSP
VP of Security and Compliance
Perimeter eSecurity
 


© 2008 Perimeter eSecurity™ All Rights Reserved. | Privacy Policy