Thoughts About Managing Vendors/Third Parties Who Can Impact Your Security

The IAPP published 10 part series on vendor management.  A vendor was the cause of both the Target and Home Depot breaches and as I wrote yesterday, a vendor cost USIS at least $2.5 billion in lost business.  How good is your vendor management program?  Here are a few tips from the series:

  • You may be legally required to manage third party risk.  For example, in health care, the HIPAA laws require formal risk assessment of third parties that have access to your data and those same laws make you responsible for their breaches.  Similar laws require financial institutions and drug companies to manage their third parties.  Third parties include both vendors and contractors.
  • Sometimes vendors subcontract to other vendors.  You are likely still responsible, even if you don’t know that is happening.
  • In order to manage your vendors, you have to know who they are.  Even that one that the person in sales or engineering is paying for on their personal credit card and submitting an expense reimbursement request for.
  • Your employees are your first line of defense – make sure you train them and use them wisely.  They see stuff you will never see.
  • You should conduct a risk assessment and document that risk for every vendor.  Even the company that sells you coffee.  If you look at it and decide there is zero risk, which is unlikely (do you escort the coffee delivery person, vending machine stocker and air conditioning maintenance vendor 100% of the time?), you should be able to show, if you need to, that you assessed the risk and were willing to accept what risk there was.  The risk assessment process should be structured, consistent and well documented.  That will help in lawsuits if necessary.
  • If you use contractors, they are no different than other vendors, other than they usually have more access to your facilities and systems.  Edward Snowden was a contractor to the NSA and that didn’t work out too well for them.
  • Cloud – OMG!  As you move more information to the cloud, the cloud becomes the weak point.  That unnamed cloud vendor may have been the reason USIS lost $2.5 billion in immediate business, not to mention the long term losses that are likely many times that number.  Treat cloud vendors as high value targets – the hackers do.
  • Off shore vendors are no different than any other vendor other than they are hard to manage and even harder to sue.  If they have your data or access to your systems, they are a risk.  Likely, off shore vendors have higher turnover internally and are less concerned about complying with US laws, no matter what their sales team tells you.
  • Contracts.  While you cannot get blood out of a turnip, having a good contract is important if things go sideways.  Most vendor written contracts will try to move all of the liability back to you.  That is, quite clearly, not in your best interest.  Try to move it back to them and you may have to say that a particular vendor is not acceptable if you cannot come to terms on security and privacy issues.
  • Ending the relationship.  Just like personal divorces, vendor separations can be clean or messy.  Assume that  you will get divorced from that vendor.  Just assume it.  Plan for it now.  How do you get your data, your process, the knowledge?  What are the vendor’s responsibilities after the contract is over?  Who owns the intellectual property?  And, a hundred other questions.
  • As someone once said, trust, but verify.  While this may be important in nuclear non-proliferation, it is also important to your company.  You need to make sure that the vendors that you are using are doing what they say they will do in the contracts.  And, this is not a one time event.  At an absolute minimum, you need to review every vendor annually.  Critical vendors, more frequently.
  • Does your incident response plan include incidents at vendors?  Even those that are half way around the globe?  When did you last test that plan with the vendor in South America or South Asia?  You do have an incident response plan, don’t you?

If this is making your head spin, consider that this is a very brief summary of your vendor management program.  You need to allocate staff and money to do this.  The amount of each depends on your size and the complexity of your vendor relationships, but it is never zero.

Outside assistance may be useful to get the program started, even if you manage it internally afterwards.

It is easy to defer this to tomorrow – too hard to do, too expensive, don’t have the resources, etc.  But as the breaches at Target, Home Depot, USIS and countless others tell us, that may not be a good plan.


Leave a Reply

Your email address will not be published. Required fields are marked *