Vendor management is a critical piece of creating a comprehensive information security strategy for firms. Vendors processing or maintaining sensitive information on behalf of your firm and its clients are especially important to review and conduct due diligence on periodically.
If a vendor has weak security measures, your firm or client information could be at risk if bad actors successfully compromise this third party’s system. Proactively reviewing and vetting vendors’ cybersecurity policies and procedures is an effective way to block potential data theft.
Below are five key steps your firm can take to maintain a complete vendor management program.
- Establish a vendor management program. Create a due diligence questionnaire or engage an independent auditor to periodically assess key vendors’ cyber and data security practices. Your firm may decide as part of its policy to require certain clearances, certifications, or reports, like a SOC 1 or 2. Vendor management programs should also include a checklist for offboarding terminated vendors.
- Conduct thorough due diligence when selecting new vendors. Any key vendors processing sensitive data should be reviewed before contracts are signed or an engagement begins. It is much easier to protect data before its distributed than after it enters the wrong hands.
- Review vendor contracts before beginning an engagement and upon contract renewal. All contract terms, responsibilities, and expectations should be evaluated and in-line with your firm’s vendor management policy.
- Evaluate how vendors protect and secure any accessible firm or client information. If a service provider is leaving your firm or clients’ information on an unprotected server or unnecessarily available for access by its employees, this information could be at risk.
- Monitor and test vendor relationships. Be sure service providers are continuing to meet security and risk management expectations by periodically reviewing any changes to the vendor’s personnel or operations.
WHAT DOES THIS MEAN FOR ME?
Taking steps to proactively manage vendor relationships will increase your firm’s data security overall. Getting ahead of poorly managed key vendors could save your business from a potential data breach if systems become compromised.
Managing vendor relationships and conducting due diligence to find the right service providers can be time consuming for compliance and data security professionals. Fairview® Investment Services and its affiliate, Fairview® Cyber, can help your firm establish, implement, and maintain a strong vendor management program. Contact us today for more information about how we can draft your vendor management policies and procedures, conduct vendor due diligence, and build your cybersecurity plan.