Standards
What standards should I have my vendors meet? How do I know they're meeting them?
This is almost entirely dependent on the industry that you work in. If you're in the medical field, you'll want to ensure that your team is HIPAA compliant; if you're in the financial industry, you'll need to ensure that you're meeting OCC guidance, PCI compliance, etc.
To ensure that your vendors are meeting standards, your lawyers and IT department will work together to determine:
- How sensitive the data is.
- What standards your industry dictates your vendors must meet, and what company standards you'd like them to meet.
- How to determine if they've met those standards.
All of this comes down to the issue of continuous monitoring. Until recently, it was nearly impossible to monitor vendors in real time from outside of their network. Unless a vendor actually let you come on-site and watch their network directly (unlikely), you'd never be able to know what was going on.