Integrity Blog

IT Vendor Management has gotten a lot of attention lately due to the increase of organizations outsourcing technology services. Although vendors often provide a lot of value to organizations, there can be a high level of risk associated with them. A recent survey conducted by Bomgar shows 69% of respondents said they definitely or possibly suffered a security breach resulting from vendor access within the last year.

If you’re part of a large organization that doesn’t already have an established vendor management program, your head is probably spinning thinking about all the different vendors you use and how to assess them. Even in smaller companies it can be an overwhelming task. It takes time to mature a vendor management program, so take a deep breath and follow these steps to get started.

1. Identify Vendors

If a vendor list has never been created or maintained within your organization, identifying your IT vendors can feel like a daunting task. Make sure to work with a representative from each business unit or department, and ask them to prepare a list of their IT vendors and a short description of the type of service being provided. If you are part of a large organization, it is best to start with critical IT vendors.

If you answer YES to any of the following questions about a vendor, they should be added to the critical list.

  • Does the vendor have access to your organization’s network or systems?
  • Does the vendor have access to your organization’s data?
  • Does the vendor have access to Personal Identifiable Information (PII), Personal Health Information (PHI), etc.?

2. Prioritize Vendors

Once you have identified your IT vendors and categorized them based on their access level, it is time to think about the criticality of the service they provide. If their services became unavailable to you, how would that impact your organization? How long could your organization continue doing business without their service? Your vendor’s ability to respond to a crisis or disaster may have a direct effect on your organization’s business continuity efforts. Prioritize your list of vendors to match their importance to your business operations.

3. Create a Schedule and Process

Most organizations don’t have the time or resources to audit all of their IT vendors at one time. Create a schedule to extend the efforts over the course of a year. From your prioritized list, create a timeline that outlines which vendors you are going to audit and when. You may start with only 2-3 vendors a month, and that is okay.

The second part is to create a process and a plan that includes at a minimum the following:

  • Establish the owner of the vendor relationship. This individual is responsible for communicating with the vendor, collecting the information, staying on schedule, etc.
  • Understand the type of information you will be requesting. This could be compliance/security reports or your organization may require the vendors to complete a security questionnaire.
  • Know where the information will be stored. Designate a central repository for all information pertaining to that vendor. This helps to keep the assessment organized and allows the process to go much quicker and smoother.

4. Track & Monitor Vendors

It is likely that you will identify a vendor that does not have adequate safeguards in place to properly protect your organization. However, if the vendor has an acceptable remediation plan for the gap, and your organization has decided to continue to use their service, it’s imperative to track the progress and ensure the gap is resolved in a timely manner. Vendor management is an ongoing process. Some gaps can take months to resolve, so having a process in place to track them will help immensely.

These steps give you a high level overview of auditing your vendors. Critical IT vendors should be audited on at least an annual basis to ensure their security is continuing to grow with new and evolving threats. Keep in mind, it takes time to mature a vendor management program and it’s impossible to eliminate all risk from your vendors, but there are ways to manage it. I’m sure you’ve heard the saying, “you’re only as strong as your weakest link”. Cliché I know, but your organization really is only as secure as your vendors. Just ask Target and Home Depot.

Careless and over-reaching employees.

We consistently hear about all of the terrible cybersecurity threats from foreign governments, hacktivist and organized crime. They are ever-present and their methods of attack are increasingly complex. Organizations, both public and private, are spending billions of dollars to stop these attacks. However, there is one threat vector which is commonly overlooked: insider threats.

Insiders have authorization to access vast amounts of data. Because this access is authorized, it is harder to detect malicious activity with the same methods we use to detect external threats. Different controls should be implemented to prevent or detect different types of threats.

Some of your insider threats are people intending to do harm, while some are not. For purposes of this discussion, I will classify insider threats into three categories: the careless, the over-reachers,and the bad apples. The way you address these insider threats will vary based on your environment, but here are some things to consider.

The Careless

The careless are users who simply ignore policy, procedures, or best practices. Their actions, while not intentional, cause harm by allowing data to be viewed or used by those without access. Sometimes they even delete files they shouldn’t. One of the best ways to minimize the chance of this is by using strong access controls. Make sure users only have access to the systems and data they need to complete their jobs. This reduces the chance of an accidental misuse or disclosure of data.

The Over-reacher

Over-reachers are those who use their access beyond their authorization. Take for instance a network administrator. They have full access to every file on the network. They do not, however, have the authorization to browse the files at will. Doing this would divulge protected information and be a violation of the trust placed in them. Additional controls should be put in place to monitor the activity of system administrators. Reports should be generated and provided to someone other than that individual to detect use in excess of the granted authorization.

The Bad Apple

Now we get to the truly bad apples. Good luck detecting this bunch. They are crafty, know how to avoid detection and work behind the scenes. Special care needs to be taken to develop controls which will specifically detect actions that indicate malicious internal users. Controls such as monitoring the number of files copied from a network within a given period, large file transfers to removable media, and logins from abnormal locations or during off-hours. Behavioral analysis is critical to identify potential compromise.

As you can see, the threat from internal sources is very real. Many would argue the overall risk to an organization is greater from internal threats than external threats. There’s a lot of research which supports that premise. The key is how you define risk. For more on this subject, read my article "Internal vs. External Threats - Which One Worries You More?".

For help with understanding and reducing your risk, download "ENHANCING INFORMATION SECURITY IN AN UNSECURE WORLD - WHITE PAPER" by following the link below.

White Paper - Top Security Tips
Enhancing Information Security in an Unsecure World

This paper reviews four areas of concern: Passwords, Network Considerations, Data Security and Social Engineering.

Download White Paper

The following is an excerpt from "First Steps in Compliance Initiatives; Risk Assessments & Policies".

A New Way of Thinking

The regulatory environment governing information systems in both the public and private sector has exploded over the past several years. There have been varying responses in the approach each organization has taken in their effort to become “compliant”. Many of the differences from organization to organization have been explained by quoting the industry profile or size of an organization. Other times it is the budget or process maturity that has defined their process, or lack thereof. Business leaders need to be challenged with this thought. Compliance is not a technology problem, it is a business problem.

So many times we look to technology to solve all of our problems. This goes back to the early days of IT integration into the business process. Back when technology could be applied to most processes and the efficiency gained would be off the charts. There wasn’t a lot of thinking or justification needed for those projects. You knew if they came in on time and on (or close to) budget you’d have a winner.

We have moved into a new age though, and our thinking must transition with it. Gone are the days of all technology projects being a plus for the organization. We really need to identify which projects are worth the time, effort and expense.

Compliance is no different. Most of the regulatory environments your organization will fall under, SOX, HIPAA, FISMA, GLBA, etc., are not specific in how you meet the requirements. However, one thing they do require is a risk assessment.

Understanding Your Risk

The underlying principle of each of these regulations is the reduction of risk. Notice the term “reduction of risk” and not “elimination of risk”. When talking about business you will often hear the phrase “No risk…no reward”, right? If you eliminate all of your business risk and can still make tons of money, wouldn’t everyone do what you do? Where’s the market in that? What we really want to do is reduce our risk to acceptable levels. From a business perspective we do this every day when deciding to open in new markets, launch new products, etc. We weigh the risk to the organization and determine if the risk is worth the reward. In the same vein, if you could reduce your risk significantly with little impact to your operations and budget you’d be crazy not to.

Information security must be approached the same way. Don’t put in firewalls, email encryption or costly intrusion detection systems because “everyone else did” or you think you’re required to. Assess the inherent risk to your organization without those controls and compare that to the residual risk which would exist after implementing them, and see which one you would rather live with. Why spend $10,000 to replace something that has a value of $1,000? Some things though are harder to quantify, such as reputation. It becomes much more complex to put a price on these items.

The Role of a Risk Assessment

Now this isn’t a license to be negligent and do nothing, but there’s certainly a difference between a $500,000 intrusion prevention system and a $50,000 intrusion detection system. Both might satisfy your compliance needs. Only after doing a risk assessment can you determine the level of risk your organization is willing to accept. Risk assessments will help your organization build a profile for risk tolerance and help you prioritize your investments in security.

Many times external consultants are better at leading these discussions as they can bring an objective viewpoint to your process, especially if this is the first time an assessment is being performed. Pick your assessors wisely though, and make sure they want to take the time to understand your company, its culture and how it makes (or loses) money. While there are best practices to follow, a cookie cutter approach will only take you so far.

Once you have your risk assessment completed, the next step is developing policy, procedures and controls to ensure only appropriate risks are taken. Ask any professional in nearly any trade what the secret to creating a repeatable process that works well is and they’ll tell you…great policy/procedures/ documentation.

For help with improving your policy writing skills, download the "First Steps in Compliance Initiatives: Risk Assessments & Policies" white paper.

White Paper - Risk Assessments and Policies
First Steps in Compliance Initiatives: Risk Assessments & Policies

Download this White Paper to get 6 Helpful Tips for Improving Your Policy Writing Process.

Download White Paper

Get our blog posts delivered to your inbox: