What to Look for in a Quality Vendor

Vendor Compliance

Most organizations utilize third-party vendors to assist them in fulfilling their business needs because they just can’t do it all themselves. These vendors play a critical role in allowing organizations to sustain their business, but they can also be a liability for a company. Why? Because if a third-party vendor isn’t properly vetted, they can pose a major risk to an organization.

Let’s say that your organization is a medical research lab. You’ve entered into a contract with a cloud service provider (CSP) to store the sensitive data that you’ve collected. The CSP was one of the first that you found during your research and you did not properly vet their security posture. After a few months of using the service, it’s discovered that someone with unauthorized access had access your sensitive data for weeks. You realize that the CSP did not use a proper logging management process that requires approval and logs for all changes to client data, and now years of ground-breaking research has been stolen.

If you’re a healthcare company, consider the sensitivity of the data that you handle and how your vendors could impact the security of that data. Let’s say you use a printing and mailing vendor who unintentionally revealed the HIV status of hundreds of recipients through a large windowed envelope. You receive complaint after complaint from recipients whose lives have now been changed by your vendor’s mistake.

Does your organization’s website have a customer service chatbot feature? Consider the consequences of a breach of this nature. If a hacker was to infiltrate your chatbot feature, they could obtain whatever information a user enters – name, phone number, email, location. How would you explain this security incident to your users?

Could these scenarios have been avoided? Absolutely. Let’s discuss what to look for in a quality vendor, no matter what industry you’re in.

What Makes a Quality Vendor?

When KirkpatrickPrice Information Security Specialists conduct an audit of a third-party or vendor, they are assessing and reporting on various controls that a quality vendor should have in place. Ensuring that your vendor has these controls implemented is crucial for strengthening your own security posture and protecting your consumers’ information. The following can act as a guideline of such controls as you work to determine if you’re working with a quality third-party vendor.

Physical Controls:

  • Does the vendor have a formal Physical Security Policy?
  • Does the vendor have requirements in place for visitors who enter sensitive facilities? Are visitors required to sign in? Do they need an ID? Are they being escorted? Is their information being logged?
  • Does the vendor use security measures (security guards, electronic/biometric access devices, etc.) to protect the facilities where sensitive data is stored, processed, or used?
  • Does the vendor have a monitored security alarm and a smoke/fire alarm system in place?
  • Does the vendor use a CCTV to monitor access to sensitive areas?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Organizational Controls:

  • Does the vendor have a risk assessment program?
  • Does the vendor have information security policies and procedures in place?
  • Does the vendor have incident response and business continuity plans?
  • Does the vendor retain regular audit reports from their service providers?
  • Does the vendor’s management monitor quality control, error-audit logs, and incident reporting?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Data Controls:

  • Does the vendor have an asset management program?
  • Does the vendor run backups regularly?
  • Does the vendor store backups separately from the system?
  • Does the vendor encrypt confidential data?
  • Does the vendor have a formal Access Control Policy?

Personnel Controls:

  • Does the vendor require newly hired employees to sign a Code of Ethics?
  • Does the vendor perform background screening of applicants?
  • Does the vendor offer information security awareness training to its employees?
  • Does the vendor have a formal Asset Return Policy?
  • Does the vendor conduct regular performance review?
  • Does the vendor maintain formal hiring and termination policies and procedures for both employees and contractors?

Network Controls:

  • Does the vendor have a formal change control/change management process?
  • Does the vendor have logging systems in place?
  • Does the vendor have network and server devices that are built according to a standard configuration process?
  • Does the vendor use encryption for all confidential data?
  • Does the vendor have a formal Wireless Network and Remote Access Policy?

As businesses increasingly look to outsource various components of their organization, ensuring that their strong security posture remains intact is crucial. By properly vetting a third-party vendor, an organization is much more likely to mitigate risk and prevent costly breaches from occurring.

Not sure if your third-party vendors are meeting these expectations? Let us help! Contact us today to learn more about our Third-Party Onsite Assessment and how KirkpatrickPrice can help you determine if you’re working with a quality vendor.

What to Ask Your Vendors About GDPR Compliance

Are Your Vendors Data Processors?

Vendor compliance management is a key starting point towards GDPR compliance. When your organization is deciding whether to use a vendor as part of your GDPR compliance efforts, you must follow GDPR vendor (processor) compliance management best practices.

As a controller, you determine the purpose and means for processing personal data. You have authority and decision-making over personal data and take on the responsibilities of a controller as outlined in the law. Any of your vendors that process personal data of EU data subjects will be defined as “processors,” or the natural or legal person who processes personal data on your behalf. Processing is essentially anything done to personal data, including storing, archiving, transmitting, compiling, erasing or reviewing. Determining which of your vendors process personal data under GDPR requires identifying which data elements from which data subjects are processed by each vendor – this is part of the process called “data mapping.”

Once you’ve determined which of your vendors must comply with GDPR, you must understand which GDPR requirements apply to processors. Articles 2-3, 5-23, 27-33, 37-39, and 44-49 all describe GDPR requirement specific to processors and must be followed in order to attain GDPR compliance. One way to contextualize processor requirements is by understanding the required contract elements for controller-processor relationships.

Contractual Agreements That Are GDPR Compliant

Contractual agreements are a major aspect of vendor compliance management. Article 28 describes processor requirements, including the requirement to establish a contractual relationship between controllers and processors, and provides details on what components must be included in contractual agreements. The European Commission or Member State supervisory authorities may adopt standard contractual clauses for certain matters, but contractual agreements between controllers and their processor vendors must be in writing and stipulate the following:

  • The subject-matter, duration, nature, and purpose of the processing activities
  • The type of personal data included in processing activities
  • The categories of data subjects included in processing activities
  • The obligations and rights of the controller
  • The processor will only process personal data based on documented instructions from the controller
  • The processor ensures that persons authorized to process personal data have committed themselves to confidentiality
  • The processor takes all measures required for the security of processing (Article 32)
  • The processor respects the conditions for engaging another processor – specifically, prior notice to controllers and the opportunity for controllers to object
  • Taking into account the nature of the processing, the processor must assist the controller by implementing appropriate technical and organizational measures, as a part of the controller’s obligation to data subjects’ rights
  • The processor assists the controller in ensuring compliance with the obligations of Articles 32-36, which includes security of processing, data breach notification to supervisory authorities and data subjects, and data protection impact assessments
  • At the choice of the controller, the processor must delete or return all personal data to the controller after the end of the completion of services relating to processing, and deletes existing copies unless EU or Member State law requires the storage of the personal data
  • The processor makes all necessary compliance information available to the controller
  • The processor will allow for and contribute to audits conducted by the controller

If you’re reading this and thinking, “I’m a processor. What should I do to show I’m a GDPR compliant vendor?” then you should go through the list of items required in each contract between controllers and processors to identify whether you can comply with each of the requirements. By using the contractual requirements as a guideline for GDPR compliance, not only will you reduce your risk of regulatory fines, you will also gain a competitive advantage by proactively pursuing GDPR compliance. By demonstrating that you meet the needs of GDPR compliant contractual agreements, you can provide controllers with the assurance they need.

If you are a controller, there are at least two questions to ask and answer for processor oversight: 1) Have you updated your contracts ensure that each agreement contains all of the GDPR required elements? 2) Are you following vendor compliance management best practices to ensure that processors are fulfilling their contractual and regulatory obligations?

For more information on GDPR compliance and vendor compliance management, contact us today.

More GDPR Resources

Are You Controller or Processor?

Whose Data is Covered by GDPR?

The Cost of GDPR Non-Compliance: Fines and Penalties

Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

Common Gaps in Vendor Compliance Management

Effective Vendor Risk Management

An effective risk management strategy includes a strategic process for assessing and monitoring vendor compliance. Some vendors go to great lengths to secure their services and processes, but others may leave you with consequences to pay. Vendors need to prove what they are doing to reduce risk to you and your customers. You’re putting a great deal of control into vendor’s hands, so managing vendor risk must be an integral part of any business.

What happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what are the consequences to your organization? These are the types of scenarios your organization must consider when selecting vendors and effectively managing vendor risk.

Managing Vendor Risk

When engaging with a vendor, there are many steps to take: conducting a risk assessment, scoping, setting expectations, establishing communication methods, and verifying compliance requirements. Because there’s so much to do, we see many common gaps in organizations who are managing vendor risk, including a lack of exercising due diligence, limited involvement from senior management, lack of contract development and review, issues with a risk ranking system, and ineffective monitoring procedures.

  1. Lack of Due Diligence: What is your process for vendor selection? If you choose a vendor without assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can damage your business. Do they have a Disaster Recovery Plan? Are policies and procedures updated and implemented? What types of security and compliance resources do they have? What is their reputation related to security? What types of vendor risk are critical to your organization? Have you performed a risk assessment? It’s critical to exercise due diligence when selecting vendors and even during the course of the relationship, especially when considering a renewal of a contract.
  2. Limited Management Involvement: A mistake that many organizations make is not including senior management in vendor compliance management. The FDIC’s Guidance for Managing Third-Party Risk explains that an organization’s senior management is responsible for managing the activities conducted through vendor relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within their own organization. Senior management’s involvement is critical to effective vendor risk management.
  3. Lack of Contract Review: Specific expectations and obligations of your organizations and your vendors must be outlined in a written contract prior to entering into the relationship. This contract should include the scope of the relationship, cost, performance standards, reporting guide, security standards, dispute resolution, and termination rights. Thorough contract development and review could prevent legal consequences for your organization, making it a major element of effective vendor risk management.
  4. No Risk Ranking System: Vendors should be ranked based on their access to confidential or sensitive information, criticality of the product/service they provide, and complexity of the product/service they provide. Types of vendor risk are also reputational, strategic, financial, operational, regulatory, privacy, environmental, and legal risks. If you’re not risk ranking your vendors, how do you know which bring critical risks to your environment?
  5. Monitoring Issues: A key component of effective vendor risk management is oversight and monitoring. The extent of oversight will depend on the types of vendor risk they present and the scope of the relationship, but your organization must have qualified staff allocated to monitoring vendor relationships. Monitoring your vendors’ performance, audit reports, compliance requirements, training effectiveness, quality of services, and risk management practices will assist your organization in evaluating the effectiveness of the relationship.

Common Gaps in Vendor Compliance Management

Vendor Management Across Disciplines

For many industries, validation of a vendor’s security practices is not optional. Consider the following guidance:

  • The OCC Bulletin 2013-29 provides guidance to banks for assessing and managing vendor risk and third-party relationships, defining a third-party relationship as any business arrangement between a bank and another entity, by contract or otherwise.
  • 23 NY CRR Section 500.11 describes the need for financial services companies to have security policies related to managing vendor risk, which should include identification and risk assessment of vendors, minimum cybersecurity practices to be met by vendors in order to do business with the covered entity, due diligence processes used to evaluate the adequacy of cybersecurity practices of vendors, periodic assessment of vendors based on the types of vendor risk they present and the continued competence of their cybersecurity practices.
  • Under HIPAA, covered entities are generally required to enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information (PHI). Business associates must contractually agree to not use or disclose PHI other than as permitted or required by law, use appropriate safeguards, report breaches of unsecured PHI and any other security incidents to the covered entity, among other requirements.
  • The PCI SSC says that when entities use vendors to store, process, or transmit cardholder data on the their behalf, vendors then impact the security of the cardholder data environment and the entity’s PCI compliance. That’s why contractual agreements and policies should be established between the entity and its vendors for all applicable security requirements. An effective vendor risk management program helps an entity ensure that the cardholder data entrusted to vendors is maintained in a secure and compliant manner.
  • In the ACIPA’s SOC 2 Guide, it states that service organizations may implement policies, procedures, and controls for managing vendor risk. This could include how to assess risk that vendors bring, assigning responsibility and accountability for managing vendor risk, establishing communication and resolution protocols for issues with vendors, how to assess the performance of vendors, and how to terminate vendor relationships.

What vendor compliance obligations does your industry require of you? Interested in learning more about effective vendor risk management? Contact us today to hear how we can validate the security of your vendors’ services or demonstrate the security of your own.

More Vendor Compliance Resources

OCC Bulletin 2017-21: FAQs to Supplement OCC Bulletin 2013-29

[24] Cyber Incident: How Your Vendors Can Impact Your Security

Vendor Compliance Management: Carve-Out vs Inclusive Method