What to Look for in a Quality Vendor

by Sarah Harvey / August 2nd, 2018

Vendor Compliance

Most organizations utilize third-party vendors to assist them in fulfilling their business needs because they just can’t do it all themselves. These vendors play a critical role in allowing organizations to sustain their business, but they can also be a liability for a company. Why? Because if a third-party vendor isn’t properly vetted, they can pose a major risk to an organization.

Let’s say that your organization is a medical research lab. You’ve entered into a contract with a cloud service provider (CSP) to store the sensitive data that you’ve collected. The CSP was one of the first that you found during your research and you did not properly vet their security posture. After a few months of using the service, it’s discovered that someone with unauthorized access had access your sensitive data for weeks. You realize that the CSP did not use a proper logging management process that requires approval and logs for all changes to client data, and now years of ground-breaking research has been stolen.

If you’re a healthcare company, consider the sensitivity of the data that you handle and how your vendors could impact the security of that data. Let’s say you use a printing and mailing vendor who unintentionally revealed the HIV status of hundreds of recipients through a large windowed envelope. You receive complaint after complaint from recipients whose lives have now been changed by your vendor’s mistake.

Does your organization’s website have a customer service chatbot feature? Consider the consequences of a breach of this nature. If a hacker was to infiltrate your chatbot feature, they could obtain whatever information a user enters – name, phone number, email, location. How would you explain this security incident to your users?

Could these scenarios have been avoided? Absolutely. Let’s discuss what to look for in a quality vendor, no matter what industry you’re in.

What Makes a Quality Vendor?

When KirkpatrickPrice Information Security Specialists conduct an audit of a third-party or vendor, they are assessing and reporting on various controls that a quality vendor should have in place. Ensuring that your vendor has these controls implemented is crucial for strengthening your own security posture and protecting your consumers’ information. The following can act as a guideline of such controls as you work to determine if you’re working with a quality third-party vendor.

Physical Controls:

  • Does the vendor have a formal Physical Security Policy?
  • Does the vendor have requirements in place for visitors who enter sensitive facilities? Are visitors required to sign in? Do they need an ID? Are they being escorted? Is their information being logged?
  • Does the vendor use security measures (security guards, electronic/biometric access devices, etc.) to protect the facilities where sensitive data is stored, processed, or used?
  • Does the vendor have a monitored security alarm and a smoke/fire alarm system in place?
  • Does the vendor use a CCTV to monitor access to sensitive areas?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Organizational Controls:

  • Does the vendor have a risk assessment program?
  • Does the vendor have information security policies and procedures in place?
  • Does the vendor have incident response and business continuity plans?
  • Does the vendor retain regular audit reports from their service providers?
  • Does the vendor’s management monitor quality control, error-audit logs, and incident reporting?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Data Controls:

  • Does the vendor have an asset management program?
  • Does the vendor run backups regularly?
  • Does the vendor store backups separately from the system?
  • Does the vendor encrypt confidential data?
  • Does the vendor have a formal Access Control Policy?

Personnel Controls:

  • Does the vendor require newly hired employees to sign a Code of Ethics?
  • Does the vendor perform background screening of applicants?
  • Does the vendor offer information security awareness training to its employees?
  • Does the vendor have a formal Asset Return Policy?
  • Does the vendor conduct regular performance review?
  • Does the vendor maintain formal hiring and termination policies and procedures for both employees and contractors?

Network Controls:

  • Does the vendor have a formal change control/change management process?
  • Does the vendor have logging systems in place?
  • Does the vendor have network and server devices that are built according to a standard configuration process?
  • Does the vendor use encryption for all confidential data?
  • Does the vendor have a formal Wireless Network and Remote Access Policy?

As businesses increasingly look to outsource various components of their organization, ensuring that their strong security posture remains intact is crucial. By properly vetting a third-party vendor, an organization is much more likely to mitigate risk and prevent costly breaches from occurring.

Not sure if your third-party vendors are meeting these expectations? Let us help! Contact us today to learn more about our Third-Party Onsite Assessment and how KirkpatrickPrice can help you determine if you’re working with a quality vendor.