More

    10 Best Practices for Sharing Sensitive Information with Vendors

    Deloitte published a report recently, noting that “the market is currently underinvested in the area of vendor management, particularly when it comes to tools, methods and processes.” This same report also noted that businesses are increasingly outsourcing functions. As vendors have become more important in the day-to-day functioning of businesses, companies need to ensure that their data is safe on these third-party networks.

    For organizations that are just getting started with a formalized vendor risk management (VRM) program, BitSight Technologies has prepared a list of the do’s and don’ts of sharing sensitive information with vendors.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 1

    Working with Third-Party Vendors

    Click through for a list of the things you should and should not do when sharing sensitive information with vendors, as identified by BitSight Technologies.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 2

    Do Understand the Value of Your Data

    Do understand the value of the data to your organization prior to allowing any third party to access it. Being able to differentiate data that is highly sensitive from data that is only moderately sensitive is an important step — and you’ll need to be able to draw those conclusions before a vendor has access.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 3

    Do Create Security Expectations

    Do create security expectations for your vendors, describing how they should secure your data. These expectations shouldn’t be casually mentioned at the beginning of a business relationship, but rather cemented into your vendor contract. Make these expectations legally airtight, so your mind — and the minds of those in upper management — can rest at ease.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 4

    Do Establish an Incident Response Plan

    Do establish an incident response plan. Having a procedure for your third party to notify you in an event of an incident affecting their organization and/or your data is most certainly a best practice. This is a written procedure that is usually referenced in the contract and developed by the third-party organization. It outlines who the third party is to contact if a security breach does occur. The first party is responsible for ensuring that the vendor has the right procedures in place, accurate contact information, and a clearly established timeline of when that communication will happen.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 5

    Do Share Only the Minimum Information Required

    Do share only the minimum information required for your vendor to meet your objectives. If, for example, your vendor will be monitoring your HVAC system remotely, you’ll want to ensure that they only have access to the part of your network that controls HVACs, and virtually nothing more. Such access management could have saved Target from its massive, highly publicized breach that affected the personal information of over 110 million customers.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 6

    Do Continuously Monitor Third-Party Contractors

    Do continuous monitoring of your third-party vendors and contractors with respect to cybersecurity. Even if you put your vendors through all kinds of audits — which you should — you still don’t know what is going on in their network on a day-to-day basis. Continuous monitoring software helps you keep an eye on all your vendors, so you can make better, data-driven decisions.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 7

    Don’t Create Generic Security Expectations

    Don’t create a generic expectation for security. You’ve probably heard of companies requiring their vendors to provide an “adequate” level of security. This is not a good practice, because “adequate” can be interpreted many different ways. You have to be clear about expectations in regard to security if you want to decrease your chances of third-party security issues. Ideally, you should cite an industry standard like ISO27001, NIST800-53, or the PCI data security standards.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 8

    Don’t Allow Access Without Proper Assessments

    Don’t allow third parties to access your data without doing proper assessments. Understanding the cybersecurity posture of your vendors can be a painstaking process. It should involve a combination of questionnaires, on-site assessments, technical assessments, and near-constant communication. If you take care of your pre- and post-contract due diligence, you’ll feel far more prepared for them to gain access to your data.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 9

    Don’t Let Everyone Have Access to Your Data

    Don’t let everyone in the third-party organization — or your organization — have access to your data. This is a pretty simple, but important concept. Your organization should clearly establish which individuals at a vendor company have access to your data. Consider putting controls in place to help guard entry to your data, so it isn’t easily accessible. Privileged information should only be available for a select few individuals who need access for a very good reason.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 10

    Don’t Allow Access from Unapproved Devices

    Don’t allow third-party users to access your data using unapproved devices. Anyone accessing sensitive information should be using their work-approved computers on approved networks. If someone decides to access your information on a personal laptop at a coffee shop, your organization can’t adequately monitor usage — and the likelihood of someone gaining access to your “crown jewels” is far more likely.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 11

    Don’t Provide More Info than Necessary

    Don’t provide vendors with more information about proprietary products or information than they need. In other words, make sure you’re properly addressing the risk involved with your supply chain. Let’s say your organization is designing a really sensitive smartphone, and you decide to work with a vendor who can supply you with specialized screens. That particular vendor does not need access to all of your sensitive phone design information and data — they just need the specifications that will help them successfully create the phone screen. It cannot be overstated how important it is to protect your most sensitive data and information.

    10 Best Practices for Sharing Sensitive Information with Vendors - slide 12

    One Final Point

    Do make sure you use this list as a starting point – don’t only rely on this information to ensure that your data is entirely secure! The hope is that these suggestions provide you with a great place to start or affirm you’re headed in the right direction in regard to IT risk management — but they can’t replace thorough vendor due diligence. Make sure you do your homework!

    Latest Articles