Four Steps to Stronger Vendor Security

Four Steps to Stronger Vendor Security
By Deena Coffman

When it comes to entrusting your company’s sensitive information to suppliers and contractors, out of sight shouldn’t be out of mind.

Consider these vendors, all of which have experienced a data breach in the past two years: Adobe, LexisNexis, Dunn & Bradstreet, Kroll Background America a/k/a HireRight, J.P. Morgan, State Farm, Kaiser Permanente and Epsilon .

What if one of them was on your vendor list? You wouldn’t know critical data was compromised unless your contract required the vendor to notify you after a security breach.

A company’s future revenues and profitability are jeopardized when confidential business information is exposed through the disclosure of proprietary information or penalties for noncompliance with data breach and privacy regulations. For this reason, it’s important to make sure suppliers and contractors handle business information assets with the expected level of care. Third-party security reviews are a good—not to mention widely adopted—approach to protecting information assets when handled by supplier and contractors.

However a security review of every vendor isn’t necessary. So where to start?

1. First, look for your company’s most important information assets.
2. Next, determine which suppliers and contractors have access to those systems and/or data. To do this, build an information asset inventory. Then, map the data flow as sensitive information comes into your organization, is copied, processed or transferred, and then finally disposed.
3. Now that you know what you want to protect and where it is exposed, list all vendors with access to the exposure points. Remember to check systems, mobile devices, email, websites, databases, and access to facilities, such as those given to waste removal companies or maintenance services.
4. Once you understand which vendors have access to your information and which information is the most sensitive, rank as your first priority the vendors that have the greatest access to the most sensitive level of information. Request that those suppliers or contractors have a review of their security program as it pertains to the information they handle for you. For example, suppliers with recurring, persistent access to sensitive data would warrant a more in-depth review than a contractor with limited access to a subset of information. A full review would involve the physical, technical and administrative controls the organization has for information security and privacy.  

Security is like a chain: It is only as strong as its weakest link. An exposure from a weak process or policy could render a large security technology investment ineffective. Conversely, for those circumstances where limited data exposure exists, a self-assessment and contractual protections may be more appropriate than a full review.

Suppliers can gain an advantage over the competition by establishing and demonstrating a strong security posture. They can perform assessments as part of their compliance programs to proactively show clients they’re mindful of security. And they can provide a report of the assessment, with confidential information removed, of course. Additionally, a strong security posture reduces the time and effort to move from proposal acceptance to contract; the process would take longer for vendors that still need to be vetted for security.

One word of caution, however, when using PCI compliance reports as security vetting tools.  PCI pertains only to a set of standards that apply to payment card processing. It may or may not be relevant to the information and systems for which you need to have assurance.
 
Because even the most onerous security standards permit risk management and not risk removal, contractual measures may be substituted. For example, if the security review would be greater than the value of the contract or where access or the amount of data is limited, it may be more advantageous to forego a required security review, and instead, specify some or all of the following in the contract:

• Indemnification against third-party claims, especially IP infringement
• Limitations on liability
• Responsibility during a breach for notification, legal defense and remediation (first- and third-party)
• Insurance minimums
• Information security requirements (such as mandatory encryption)
• Assignment 
• Service-level agreements that support incident response needs
• Incident response testing participation
• Insurance
  • Data breach
  • Cyber liability

Risk managers may elect to avoid, transfer or accept information security risks rather than mitigate them through controls. In any event, it should be an informed, deliberate decision. Trust but verify because regardless of whether a data breach occurs at your facility or through a third-party supplier, your reputation and your revenue ultimately is at stake.

Deena Coffman is CEO of IDT911 Consulting.