A vendor management program is designed to provide the organization the assurance that vendors, third-party service providers, contractors, and subcontractors are meeting the same standards of security as implemented for the protection of information systems and information assets. The vendor or third-party management program is part of the enterprise risk management program within the overall enterprise information security program.
In this article, we will discuss the critical components of an effective vendor management program.
Vendor Due Diligence Policy
The policy should be developed to ensure that any agent, including a subcontractor, to whom sensitive information is provided, agrees to implement reasonable and appropriate safeguards to protect this information. In short, any vendor or subcontractor that creates, receives, maintains, or transmits sensitive information on behalf of the organization must agree to comply with the security standards and any applicable requirements by entering into a contract or other arrangement that complies with these requirements.
Vendor Due Diligence Process
Vendors may be selected for a variety of reasons. If a vendor is determined to be a critical vendor, or a vendor that may access protected health information or sensitive data pursuant to the services provided, then a more in depth review of the vendor will take place. Prior to contracting with a vendor, all contracts should be reviewed by the legal department or the Chief Executive Officer (CEO). As it pertains to the financial stability of the vendor, the legal and finance departments should review all financial statements and related documentation to ensure that the vendor is able to perform their scope of work.
The business owner responsible for the vendor contract should maintain and report on the performance of the vendor throughout the contract period. As it pertains to information security, the information security and compliance department should be responsible for reviewing agreements, reviewing vendor questionnaires, coordinating vendor security evaluations, and reporting on any findings related to deficiencies that may be present in vendor safeguards.
Vendor Performance Tracking
A tracking mechanism should be implemented that will list all vendors, contractors, or subcontractors and identify those that have access to business/confidential, sensitive, and protected health information. Criteria should be established by management to measure the contract performance of each vendor, contractor, or subcontractor as applicable.
The organization should utilize a tracking tool or mechanism (e.g. database, spreadsheet, vendor management software solution) to track vendor due diligence activities.
Vendor Review
A vendor review should be performed on all vendors that are classified as critical or may have access to sensitive or protected health information. Vendor review consists of two parts. The first part is a questionnaire that should be completed by the vendor. The second part is a review of the vendor’s controls.
Vendor Questionnaire
The vendor questionnaire should at least consist of the following questions:
- Where (if at all) is sensitive information stored within your computing resources or by your subcontractors, including any back-ups and print copies of information?
- If this information is transported or transmitted by your organization between or among various sites (including off-site storage), in what format is the data in and under what protections?
- Does your Company use encryption to protect protected health information (PHI) and other sensitive information?
- Is the method of encryption consistent with the industry encryption standards or HHS guidelines?
- Does your company destroy PHI and other sensitive information through appropriate methods, such as shredding paper, film or other hard copies and clearing, purging or destroying electronic media in accordance with industry standards or HIPAA requirements?
- What electronic and physical security protections are in place to ensure that only authorized individuals have access to sensitive information?
- How can you affirmatively ensure on an ongoing basis that no confidentiality breach has occurred?
- How often these safeguards are tested and is this testing documented in a manner that we can review?
- Does your company have appropriate access controls and logging/audit trail capabilities?
- Has your company implemented approved means to render sensitive data unusable, unreadable or indecipherable to unauthorized individuals? If so, briefly describe the process?
- Has your company been the subject of any security or confidentiality breaches within the last five years?
- Has your company developed a program to detect and prevent identity theft?
- Does your company provide security and specific role-based training to your personnel? When is training conducted and how often is it conducted?
- Does your company have a written information security policy? How often is the policy reviewed and updated? When was the last update?
- Has your company conducted a recent security audit? Were any deficiencies corrected? How often are audits conducted?
- Does your company have an established policy to ensure security incidents are promptly reported to personnel?
- What are your formal policies for notifying us should there be any breach, or even a possible breach, of confidentiality within your organization?
- At what point is communication initiated, how quickly, in what format, how detailed, etc.?
- Are those of your workforce members who have access to our sensitive information bonded in any manner?
- What reference or other checking is conducted prior to employment of these people by your organization, and is there any ongoing update of this reference information?
- What types of insurance coverage does your company have?
- What are the coverage limits and other terms?
- Are the coverage claims made or occurrence based?
- Does your company’s insurance cover liability relate to privacy violations or security breaches?
- Will your company require the use of any subcontractors or affiliates in the performance of its services?
- Where are the subcontractors and affiliates located?
- What types of services will the subcontractors provide?
- What information, if any, will your company send to these entities?
- What are your company’s information handling policies?
- Does your company have a dedicated information security team?
- Is there an incident response team?
- What are your company’s information security practices with contractors and agents (e.g., due diligence, requisite nondisclosure agreements, specific contractual obligations relating to information security)?
- Does your company use system access control on its systems to limit information access to only those of its personnel who are specifically authorized?
- What are your company’s continuity/disaster recovery plans?
- Do you have a formal written plan and when was it last updated?
- Have the continuity/disaster recovery plans tested and lessons learned documented and updated in the plans?
- What process do you suggest whereby we can independently verify the information above, should we wish to do so?
If you need help creating this vendor management program or developing other policies and procedures, we can help. Contact us today!