In these lean economic times, companies are leaning more and more on outsourced services that are not aligned with their core business. This many times includes IT services, and can lead to outside vendors having access, or outright holding the crown jewels of your organization.
So what are you supposed to do, you may ask? There are several steps you and your organization can take to ensure your customer and employee information; and ultimately your organization are protected.
Insert risk management controls into your contracting process.
This may sound easier that it actually is. I can’t count the number of times I have been told about a contract after an uninformed business partner signs a long term “secret” deal. The best way I have found to get involved upfront is to partner with the purchasing or contracting area. Have senior management (the higher the better) agree that any contract or vendor agreement that specifies IT services or information services must be contingent on performing a risk assessment. This risk assessment should be short and to the point, and should be able to be performed by your purchasing, contracting or business partner. Secondly, be sure the business has identified a contract exit strategy. This exit strategy should include transition of source code, data, and proof that any data left with the vendor has been appropriately destroyed.
Identify your data flows and perform risk assessments on your existing suppliers.
Given the short supply of resources these days, you will need to tread lightly here. Take a risk based approach. Understand how your organizations information is fed, to and from your vendors, and what information is actually being transmitted. Plan on visiting your higher risk providers (those that have access or maintain those crown jewels) more frequently, and lower risk providers less frequently or not at all. The best approach is to inventory your providers, understand what they have access to, and then rank them in three categories, low, medium and high. Concentrate on your high risk providers first. Distribute a self risk assessment, and then take a deeper dive into those that fall short of your expectations. Ask for simple things including:
- Results from their last attack and penetration assessment
- Policies
- Results from their last internal control tests (BCP, internal audit, etc.)
Any vendor that is worthy of your business should be willing to provide these items upon demand.
Perform onsite risk assessments.
Once you have identified your high risk providers, plan to visit the highest risk, or the most strategic partners. These risk assessments should include the standard data center tour, discussion between senior management of both firms, and general observation of daily operations, physical security, and employee behaviors. The last thing you want is a vendor telling you they encrypt their laptops, only to find out they send unencrypted back-up tapes offsite for BCP.
Take action on identified risks.
Once you have performed these risk assessments you are bound to have a list of items that need to be addressed. Review these items with the business area responsible for the relationship with the vendor. It is up to them to either assume the risk for these items, or have the vendor resolve them. In any event, it is important to document what you have found, provide the facts to the decision makers, educate them on what it means to the business in order to help them make educated decisions.
If you have difficulty in selling these concepts internally, remind the business how difficult it will be to hit that sales number when your organization is in the news for lost customer information. There are countless stories of organizations that have shipped tapes, or have had contractors download data onto unprotected devices, that go missing.
About the Author
Craig Cooper is the Director of Product Management for Brinqa and focuses on the Vendor Risk Management Application.