The spotlight on the topic of vendor management has been shining even brighter lately with a large number of data breaches resulting because of poor vendor processes. With vendors being a key reason for the success of companies in today’s economy, companies have a responsibility to ensure efficient processes are in place when contracting with and working daily with vendors. Though many companies are limited by funds and resources that can be devoted to vendor management, the process for protecting themselves can be as simple as asking the following questions:
1. Are Your Vendor Contracts Technical Enough?
The process for developing and reviewing the contracts for a company’s key vendors should be well established and involve multiple parties. Though most companies have a legal team that assists with drawing up the vendor contracts, it is imperative that topics such as data transmission security, vendor remote access, and the secure handling of a company’s data be built into the contracts. A company’s legal team really should work with the IT department in determining the technical requirements that the vendor will be required to follow. For current vendors, a periodic review process should be initiated by a company’s management to determine if older contracts have been updated to include the technical topics previously discussed. If current vendor contracts do not include the technical requirements, a revision should be made by the legal team and the vendor should be required to sign an amended contract.
2. Do you know which vendors house your data?
The performance of an in-depth data inventory is critical for companies that allow their vendors to maintain patient and customer data along with potential company trade secrets. This inventory should involve analyzing each vendor that a company does business with and determining the types of critical data that the vendor has been given access to. If a vendor does house a company’s data in a data center, the vendor inventory should indicate this and management should make a point to request and review an annual SOC 2 Type II report detailing the physical/environmental controls in place. Vendor contracts should also be updated if a SOC report is required to be obtained annually.
3. Does your vendor have adequate data security controls in place?
If your company is relying upon a vendor to handle sensitive data, data security requirements should be communicated to the vendor and built into contracts. Companies that transmit sensitive data to a vendor typically will send it via an encrypted email or a USB device that employs both encryption and a password. Though this may be your company’s policy, it is important to communicate your expectations for how your vendor handles the data once in their possession. If your company’s data resides on a vendor’s server, it may be important to require the data to be encrypted while at rest and that access to the server be properly restricted. A vendor may also be required to follow a company’s data transmission requirements if sensitive data must be emailed or sent via another method, such as FTP.
4. Do you perform a periodic access review focused on vendors?
It’s a well-known fact that user access reviews can take time and are an arduous process for the parties involved. For companies that rely heavily upon vendors, an access review is very important to prevent unused vendor accounts from being compromised and used to carry out a data breach. Responsible company management should develop a formal user access review process that not only focuses on employee accounts used on the network and key applications, but also the accounts used by vendors. A vendor account should be analyzed to determine if it is truly needed and whether it should be enabled/disabled or active at all times. With vendor accounts typically used to provide support, management should consider requiring that system vendor accounts be disabled at all times and that a support ticket be opened in order to enable the vendor account. The support ticket should indicate the reason why the vendor account is to be enabled, how long it will be enabled, and require proper management approval for use of the vendor account. If company management determines that a vendor account should be enabled at all times, the terms of use of the account should be indicated in the vendor contract and IT management should also log and regularly review the activity performed using the vendor account(s).
5. Can your vendors remotely access company systems at any time?
Companies with a large number of systems can require support at any time during the day or night. Typically this support is provided by vendors who are required to remotely access the network or application. Companies that rely upon remote support typically require that vendors use a specified VPN application, such as Citrix, to access the network or application. Vendor contracts should detail how remote support is handled by vendors and when it can be done. The contracts should also specify whether a vendor can remotely access a network or application at any time or only when authorized by company management. If a vendor is allowed to remotely access a company network or application at any time, audit controls should be put in place to regularly monitor VPN logs in conjunction with a review of the network and application activity logs. As a best practice, management should consider keeping vendor accounts for remote access applications disabled until support is needed. Once a service request is documented and approved, the vendor’s VPN account can be enabled, the requested support provided, and then the VPN account can be disabled.
For more tips on vendor management, see our recent post Five Steps to Managing Vendor Security.
