Vendor risk management: process and documentation

In managing vendor contracts, it's important to take process into account. Contracting is not a compliance obligation to be undertaken in isolation, but is an integral part of a financial institution's comprehensive information security program. A regulator questioning an institution's information security officer will expect that individual to maintain an updated list of third-party vendors who have access to non-public personal information as well as information about what types of data they have and the institution's risk classifications for those vendors. (PCI DSS Requirement 12.8 similarly requires covered entities to maintain a list of service providers with whom cardholder data is shared.) To back up the institution's vendor risk assessments in conversations with regulators and auditors, it is also helpful to keep handy files containing due diligence and audit reports on the vendors or summaries of such reports.

Copies of important vendor contracts and personnel qualified to discuss the company's contracting strategy should be readily available during any regulatory examination. Not knowing who your vendors are or what information they have is a sure way to get a poor safety and soundness rating. To help facilitate the proper vendor documentation, corporate legal departments should utilize contract management database software to track vendor relationships and flag those contracts deemed high-risk from an information security standpoint, so that, for example, the database administrator can easily print out a list of all contracts where the vendor has access to account or Social Security numbers.

Overall, it's critical to keep tabs on important vendor contracts and avoid creating silos w...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business partner and vendor security issues New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Security questions to ask SaaS vendors when outsourcing services Compliance best practices Regulators issue standardized privacy notice form for GLBA compliance Seven GRC best practices for information security Keeping up with state data protection laws Five mistakes banks make in pandemic planning Get ready for remote deposit capture risk management scrutiny Google ordered to deactivate Gmail account after bank email error How to manage security risks in vendor contracts How to streamline role-based access control Five considerations for choosing network access control products How to shift to centralized authentication and ease compliance Risk management frameworks, metrics and strategy How to manage security risks in vendor contracts Controls monitoring helps with governance, risk and compliance An advancement in GRC Advocacy group looks to foster trust in foreign service providers Using an information security council Information security governance using a risk-based approach Security on the street with SearchFinancialSecurity.com: Risk management Strategic metrics for information security at financial services firms Metrics don't truly quantify information risk Financial Information Security Decisions 2008: Presentation downloads

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Shared Assessments Program  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ithin an organization. A financial institution's legal, operations, compliance and information security personnel must all be knowledgeable and in agreement when dealing with regulators. It is of little value, for example, if a firm's counsel includes robust audit rights in a vendor contract if those audit rights are never exercised or, even if they are, the information security officer cannot present documentation showing the audit actually took place.

Ultimately, contracts aren't just to make lawyers happy. Contracting is a critical component of vendor information security risk management. Understandably, and particularly in these cash-strapped times, there is often a desire to purchase IT solutions quickly based on lowest available pricing. However, for financial institutions and increasingly for non-financial organizations as well, well-structured contracts are no longer just a lawyer's obsession. They are the concern of regulators and legislators and must be seen as a compliance obligation. However, with IT managers, information security officers, and counsel all on the same page, and with vendors increasingly sensitized to the issue, the new emphasis on contracting does not have to mean endless bottlenecks and delays.

About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at andrew@baerbizlaw.com.