Third-Party Due Diligence Best PracticesPublished October 4, 2018 by Karen Walsh • 4 min read
No matter what industry you’re in, business relationships with third-party vendors are the biggest risk to your information landscape. Increasingly, companies are adding more software-as-a-service (SaaS) vendors to streamline business processes. However, vendor due diligence becomes more complicated as you add new services.
Due Diligence Best Practices For Third Parties
Where Do I Start Third-Party Due Diligence?
The first step to any vendor due diligence program lies in cataloging your business partners. Starting with the ones most critical to business processes is easy. You’ve got networks, servers, and software providers.
The difficulties arise when you start drilling down further. Different business areas require different vendors. Your human resource department possibly links to healthcare insurance providers using a web-based application. Meanwhile, your marketing department is using social media tools to develop your brand.
While some business partners are easy to define, the risks to your data environment come from being interconnected within an overarching ecosystem.
How Do I Analyze Third-Party Risk?
Finding vendors may be difficult but determining your third-party risk feels insurmountable.
For each third-party relationship, you need to evaluate, at minimum, the following:
- How does the vendor support my overall business objectives and strategic plans?
- How critical to business operations is the vendor?
- How important is the vendor to business continuity?
- What information does the vendor access?
- What networks, servers, software, and devices does the vendor access?
- What level of access do I need to provide the vendor to my networks, servers, software, and devices?
If a vendor needs a high-level of access to private information, they need to be labeled as a high-risk relationship. However, even though a vendor isn’t a high-risk to your organization, you may need to look at the variety of risks associated with the relationship.
How to Create Associated Risk Tiers
Some vendors may not be critical to business operations, but they nonetheless access private information. Some vendors may access your networks, but they don’t access your customer information.
For example, social media martketing tools access your networks, but they probably won’t be critical to business operations. Meanwhile, a payment processing vendor will be critical to your business operations and access customer information. Finally, if you manage an employee web portal, the information is private information unrelated to customers, it accesses your networks, but it may not be critical to maintaining business continuity.
All of these associated risks impact your cybersecurity but not necessarily equally. Taking into account the amount of access, information, and criticality, create risk based segmentation of your vendors to help monitor the most impactful risks.
5 Vendor Management Due Diligence Best Practices
After determining your risks, you need to establish strategies that mitigate them. Although you may choose to accept, transfer, or refuse certain risks, ultimately you can’t get rid of all of them. Strategies for risk mitigation include obtaining self-assessments, site visits, audit reports, and continuous monitoring tools.
Review Employee Conduct
All vendor employees can pose a data risk. Part of due diligence requires you to review the risks that employees – from senior management all the way to entry level – pose. A single disgruntled employee can lead to corruption risks arising out of the desire to sell information. If employees are leaving bad reviews on hiring websites, then the company may pose this type of risk.
Establish Legal Guidelines
Business relationships aren’t friendships. They require legal oversight such as contractual obligations. A strong vendor management program maintains service level agreements that not only define product delivery requirements but cybersecurity requirements. You need to define everything from the vendor’s access level to the data breach notification schedule to protect your business.
Define Cybersecurity Controls
Your vendors need to align to your cybersecurity stance. To avoid being liable for their data breach, you need to define your requirements. These requirements include everything from firewall protections and data encryption to monitoring their ecosystem. Many businesses forget that their business parters also use vendors. Those fourth party risks increasingly boomerang back to you making you liable for any data breach caused down the supply chain.
Trust But Verify
Sure you trust the audit reports your vendors supply. Unfortunately, those reports only show you a point-in-time. Cybersecurity threats evolve constantly. As such, your audit reports can be outdated with one previously unknown vulnerability being exploited by hackers, otherwise known as “zero-day vulnerabilities.” You need a way to review the threats to your data continuously to maintain a strong cybersecurity stance.
Why You Need a Security-First Due Diligence Process
Starting with security enables you to better protect your information and reputation. By locking down your entire environment and supply-chain, you make sure that data protection comes first. The old(ish) saying goes, “if you build it, they will come.” However, in cybersecurity, you need to update it to “if you build it, they will come, but they won’t get in.”
Due diligence in vendor management requires you to maintain that security first approach and find organizations who also take cybersecurity seriously. Large vendors may seem secure, but their size often means that they have a large perimeter to protect. Small vendors may have cutting-edge technology, but their agile development may lead to a hole in the security. You need to make sure that all vendors begin with security as a primary concern.
How ZenGRC enables security-first vendor management
Vendor management means reviewing your third-party providers’ security as diligently as you review your own. However, CISO’s need tools that help manage the influx of alerts.
A single person can’t be in contact with every vendor, every day. Moreover, even in a small business, maintaining the organization necessary to ensure the continuous monitoring and contact with a small number of vendors can be overwhelming.
ZenGRC offers a Task Management capability, where compliance officers can assign remediation work and capture all the relevant data about that job: the requester, the assignee, the current status of the task, and necessary deadlines.
Now, your CISO can maintain a workflow that enables a robust vendor management program that keeps your organization secure. Monitor your vendors in real-time and then create a workflow that enables you to maintain ongoing oversight to ensure they remediate issues.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.