Standards
What standards should I have my vendors meet? How do I know they're meeting them?
This is almost entirely dependent on the industry that you work in. If you're in the medical field, you'll want to ensure that your team is HIPAA compliant; if you're in the financial industry, you'll need to ensure that you're meeting OCC guidance, PCI compliance, etc.
To ensure that your vendors are meeting standards, your lawyers and IT department will work together to determine:
- How sensitive the data is.
- What standards your industry dictates your vendors must meet, and what company standards you'd like them to meet.
- How to determine if they've met those standards.
All of this comes down to the issue of continuous monitoring. Until recently, it was nearly impossible to monitor vendors in real time from outside of their network. Unless a vendor actually let you come on-site and watch their network directly (unlikely), you'd never be able to know what was going on.
Vendor Risk Management: Ten Frequently Asked Questions
Vendor Risk Management: Ten Frequently Asked Questions
As cyber threats become more sophisticated and complex, businesses need not only to ensure they are secure, but that their vital partners, suppliers and vendors are protecting themselves as well. According to the 2015 Verizon DBIR, 70 percent of observed cyber attacks involved a secondary victim. To avoid being blindsided, organizations are beginning to monitor the security of their third parties to reduce the likelihood of a data breach.
Gartner estimates that around 10 percent of companies have formalized IT risk management programs, but that the figure will grow to 40 percent by 2018. If you're just beginning to implement a vendor risk management (VRM) program, BitSight Technologies has identified 10 frequently asked questions to help you get started.
