As technologies continue to advance, corporations will consistently evaluate whether responsibilities should be managed internally or outsourced to a qualified vendor. Whatever the criteria your senior management / board of directors utilize as a benchmark for vendor consideration, questions and concerns should be at the forefront of the vendor management program. A primary consideration to remember is that while the idea of outsourcing tasks may seem like the clear risk management option, an organization must understand that the associated risks are not removed from the company, but rather just transferred and still a responsibility for the firm collecting and transmitting their customer information.
What is a Vendor?
There are many definitions of a vendor, but essentially a vendor is a third party that supplies products or services to an enterprise. These products or services may be outsourcing, hardware, software, services, commodities, etc. Vendor risk management is a strategic process that is dedicated to the sourcing and management of vendor relationships, so that value creation is maximized and risk to the enterprise is minimized.
Do You Need Vendor Risk Management?
The short answer: yes; but the degree of need and extent of your VRM process, depends on a few factors. Two questions you may consider regarding your vendors are: what type and classification of data is permitted for access and where does that data reside (your systems or theirs)? The level of risk assessment and risk treatment on your outsourced products or services should be commensurate with the level of permissions granted. A multitude of regulations stipulate third-parties need to be monitored in some regard or another. Are you doing business in Europe (GDPR)? Are you doing business in New York (NYCRR 500)? Are you maintaining healthcare information (HIPAA)? So on and so on. In fact, the FDIC states that an entity’s board of directors and/or senior management are ultimately responsible for vendor risks.
Given the nature in which information and operations are shared between an organization and their vendors, entities must consider risks posed from outsourcing services to third-parties. If you’ve followed news trends on the topic you’re already familiar with data breaches at companies such as Delta, AT&T, and Target that have occurred by way of malicious acts against their vendors. At the end of the day, the organization is the responsible party in managing information throughout its lifecycle, meaning the transfer to and from the customer and again with others with access to one or more of an organization’s information systems storing confidential information.
An organization’s risk assessment and risk treatment process typically begins with a framework or methodology guiding personnel in identifying and assessing risks posed by third parties and how to properly treat these risks through mitigation strategies such as applicable control activities. Similar activities can be performed in a vendor risk management program. Entity’s should have a process in determining the effectiveness of a vendor’s processes and controls.
So where does one begin? Some of these are mandated specific to industries such as PCI DSS for anyone processing credit card data, or you’re a government contractor who’s become familiar with NIST 800-53 or FedRAMP. For many other organizations you may be considering an ISO 27001 certification, SOC 2 report, or seeking to combine your SOC report with a SOC for Cybersecurity examination.
Determining the nature, timing, and extent of procedures about whether an entity’s monitoring controls over the third party’s processes and controls are effective will largely depend upon the nature and extent of the organization’s monitoring controls, and the nature of the services or goods provided by your vendor. Establishing a corporate policy creates a framework for the program and states requirements for evaluating and monitoring the control activities. For instance, a minimum requirement might be set for all business units to obtain a SOC report on aspects of third party’s operations that relate to the processing integrity of services, as well as its security, availability, and data confidentiality controls. Knowledgeable personnel should assess the relevance of the system description and the complementary controls to its own risk management program and evaluate any deviations noted. If the third party does not provide a SOC 2 report, management may perform direct testing of the third party’s controls by obtaining evidence from that party on the effectiveness of its controls.
Overall, the organization needs to identify how the third party’s use of its own IT systems interfaces with the entity’s IT network, infrastructure, and other system components, and what new vulnerabilities or threats are presented as a result of this relationship. Independent assessments can and should be leveraged to help with this understanding and provide a healthy component for an effective vendor risk management program. Traditionally, these assessments have been firmly within the domain of third party service providers. However, for vendors that provide discrete goods (e.g. software, firmware, hardware, modules, etc.) for your IT systems, a traditional assessment designed for service providers (SOC 1, SOC 2, or SOC 3) alone may not be the most effective way to monitor or gain reasonable assurance over the control performance of those third parties. Instead, your organization’s vendor risk management program may consider a fourth SOC report; the SOC for Cybersecurity. This SOC report specifically addresses the cybersecurity risk management of any organization, whether they provide IT or transaction processing services or encryption modules, off the shelf software, or operating systems. A strong vendor risk management program not only considers the service providers, but also the third-party providers of goods and hard IT assets, which in many cases may not be as routinely audited, and may pose a greater risk.