Last week I started a series on steps to comply with both the E.U.’s General Data Protection Regulation or GDPR and California’s new privacy law, the California Consumer Protection Act or CCPA. To find Step 1, go to this post: https://mtanenbaum.us/complying-with-gdpr-and-californias-new-privacy-law-ccpa-step-1/ .
This week, on to Step 2 – CREATE A VENDOR CYBER RISK MANAGEMENT PROGRAM .
Some companies have a vendor risk management program. For the most part, these programs focus on compliance – is the vendor appropriately licensed? Do they have liability insurance? Possibly, depending on your industry, are they on any of the Treasury Department’s terrorist watch lists?
None of this deals with cyber risk. That requires a completely different set of questions and a completely new process.
The process starts with the VDI list created in step 1.
Using that list, you can then rank each vendor as to the cyber risk that vendor represents to the company. The ranking can be simple – red, yellow, green or high, medium and low.
Now that you have the vendors sorted, you need to review the vendors based on that risk ranking. Start with the high risk vendors. For most companies, that alone will be a significant task. Create questionnaires; send them out; review the results. Some vendors will have certifications like our Business Cybersecurity Certification or the SSAE 18. Those need to be reviewed. For SSAE 16 and 18 certifications, you need to look for what areas of the business they excluded, although it may be a shorter list to see what areas they included. You will likely need to follow up with vendors to get your answers back.
For some high risk vendors you may want to conduct a site visit, especially if they are critical to your business.
Once you have done that, you need to work with the vendors to remediate any deficiencies. You need to set up a system to track each vendor’s progress or, possibly, lack of progress.
Once that is done with the high risk vendors, you can move on to other vendors, but plan on this first step taking a while. Probably a long while.