After completing this video, the learner will understand the importance of managing vendor relationships. This includes proper onboarding and offboarding procedures, following security policies and the security risks of integrating systems and data with third parties.
- [Voiceover] Vendors play an important role in the information technology operations of every organization. Whether it's the simple purchasing of hardware or software from an external company or the provision of Cloud computing services from a strategic partner, vendors are integral in providing the IT services that we offer our customers. Security professionals must pay careful attention to managing these vendor relationships in a way that protects the confidentiality, integrity, and availability of their organization's information and IT systems.
Perhaps the most important rule of thumb is that you should always ensure that vendors follow security policies and procedures that are at least as effective as you would apply in your own environment. Vendors extend your organization's technology environment, and if they handle data on your behalf, you should expect that they execute the same degree of care that you would in your own operations. Otherwise, vendors may become the weak link in the chain and jeopardize your security objectives.
Security professionals charged with managing vendor relationships may think of their job as following a standard life-cycle. It's not unusual for a large organization to add on dozens or even hundreds of new vendors in a single year, and organizations often change vendors due to pricing, functionality, or other concerns. The first step of the vendor management life-cycle is selecting a new vendor. Depending upon your organization's procurement environment, this may include anything from a formal request for proposals, known as an RFP, to an informal evaluation and selection process.
In either case, security should play an important role, contributing to the requirements sent to vendors and playing a role in the evaluation process. Once the organization selects a new vendor, the onboarding process begins. This should include conversations between the vendor and the customer that verify the details of the contract and ensure that everything gets off on the right foot. Onboarding often involves setting up the technical arrangements for data transfer. An organization should ensure that they are satisfied with the encryption technology and other controls in place that protect information while in transit and maintain its security while at rest in vendor systems.
The onboarding process should also include establishing procedures for security incident notification. Once the vendor is up and running, the security team's job isn't over. The vendor should then enter a maintenance phase, where the customer continues to monitor security practices. This may include site visits and other recurring conversations and the review of independent audit and assessment reports. The maintenance phase will also likely involve the handling of security incidents that occur on the vendor's systems or sites.
If the vendor never reports a security incident, this may be a red flag, as almost every organization occasionally experiences a security breach of some kind. All good things must come to an end, eventually, and the reality is that even the most productive business relationships will terminate at some point. The offboarding process is the final step in the vendor life-cycle and includes ensuring that the vendor destroys all confidential information in its possession and that the relationship is unwound in an orderly fashion.
Depending upon business requirements, the life-cycle may then begin anew with the selection of a new vendor for those services.
- Implementing security controls and policies
- Performing a risk assessment
- Understanding the five risk management actions
- Managing third-party relationships (vendors, etc.)
- Mitigating risk with change management, audits and assessments, and more
- Building an incident response program
- Understanding digital forensics
- Providing security and compliance training
- Ensuring physical security
- Planning for business continuity and disaster recovery
- Matching controls to security goals