It is no secret that vendor management is one of the top security challenges we face today. But what compounds the challenge is not knowing the relationships beyond our direct vendors. What are the vendors of my vendor doing?
I don’t know what I don’t know
The scenario: A recent project was initiated by the business group that would greatly improve our customers’ experience with us as well as streamline internal processes. Great! But, and I know this is common with any organization, the assigned managers involved on the project are not trained in project management and most certainly are not focused on security issues.
We have vendor management report into the risk department so we are fortunate to have security “eyes” on it but, in this case, the vendor did not disclose that additional relationships would be required. It turns out that the additional vendors would be involved in processing funds and documents containing sensitive data. Isn’t that interesting? Now the vendor’s vendor, the one processing funds, has a vendor for backups and is backing up the sensitive data. So, my data is three vendors away and the PMs are shrugging their shoulders.
We were fortunate because we did have time to do our due diligence on those additional third-parties, but we might not be so lucky the next time and could find ourselves in damage control.
Here are three actions that will help with the vendor management security struggle:
- Stay close to home. What I mean is focus and hold your direct vendor accountable for the other, now required, vendors. They most likely will resist and say, “You need to do your own due diligence.” I would suggest you respond that part of your due diligence is understanding how they selected that company to partner with and what vetting and security reviews were performed. If they didn’t review the vendor’s security controls, how confident are you in their controls?
- Tie due diligence to the money. Require that due diligence be complete before issuing the P.O. If you don’t have ownership over vendor management, this might be a challenge. But write in your vendor management policy the requirement that all due diligence be completed prior to finance issuing the P.O. Project managers will be more motivated to dot the Is and cross the Ts if they know that the project could be delayed.
- Follow the guidance. Whether or not you’re in a regulated industry, modeling your vendor management program off guidance from large agencies with a breadth of experience will make for a stronger structure. At the core of this guidance is governance. And make sure that whatever risk you assign to your vendors, you communicate it to management and the board.
Brian Nesgoda, CISSP, SVP Risk Management/CIO
[ISACA Now Blog]