Thrd-party risk management -- not just papering the file | Computerworld
Today, virtually every business depends to some degree on third parties for supporting products and services. In some cases, these third parties supply something simple, such as office supplies, cleaning services or equipment repair. There are, however, vendors whose products or services are critical to the operation of a business. A simple example is phone service -- one carrier holds your main phone number, and their failure to perform could jeopardize your business.
Dependence on third parties is not new, but in the last few years has come more into focus for a variety of reasons, including the advent of cloud-based services critical to business users, and regulatory/compliance requirements mandating oversight of these entities. The compliance aspect specifically has generated a flurry of activity, with organizations mandated by various standards to conduct third party oversight, including:
It has been my experience that many organizations simply make third-party oversight a "papering the file" exercise. They go through the motions, getting the essential documentation, putting it in a file and leaving it there until/unless it is requested. Many think this limits their liability to some degree in the event of a breach of failure. Whether or not that proves true, I would suggest that there are purposes beyond compliance and liability to conduct such reviews.
A few years ago, I worked with a software company that handled virtually every business function using a SaaS product: finance/accounting, customer resource management, credit card processing, contract management, time and expense tracking, etc.
At the time, they were somewhat unique in their total dependence on such services, but more and more organizations are moving in that direction. Given the growing level of dependence on the cloud, it is incumbent on all businesses to oversee their vendors. Their primary motivation should be their own performance and survival, with compliance as the secondary objective. This process can go beyond mandates to become a beneficial process. The following is an outline of suggestions to do just that.
Understand Financial and Business Stability
Cloud services can make it easier for you to run your business. They can also make it easy for someone to casually start an online business. If you become dependent on an online business without the funding to be around for long, your business could be in jeopardy. As such, your due diligence process needs to include areas such as:
Their financials and available investment capital
How long they have been around
Do they have enough significant customers to give them traction
Who are the principals, and what is their track record
Much of this information will be available on a company's website, but saying it doesn't make it so, thus the need to use other resources to verify their claims.
Look for information from other sources
One of the first things I do in a third-party review is a deep review of any information available about a company via a search engine. While most casual searches stop after two or three pages, mine often go over twenty pages, with later pages often holding useful information. During due diligence for a customer this week, I found a patent infringement suit on page 18 of a Google search. Some things to watch for:
Positive press (objective, not just company press releases)
History of regulatory issues, lawsuits
History of security lapses or breaches
Specifically evaluate their security and privacy practices
One of the key aspects of mandated reviews involves a security questionnaire sent to key vendors. Since a vendor security breach may result in the disclosure of your customer information, it is imperative that you confirm your vendor is following best practices. I have seen these stop at a few questions, but the trend is for them to be almost impractically long. It is usually easier for both parties to keep the number of questions within reason, but make sure you ask the key questions, particularly when the specifics are mandated, such as with PCI.
Trust, but verify
It is easy for a third party to claim that they comply in a given area, whether or not they really do. As such, it is important to ask for confirming documentation in selected areas. As an example, I always ask if a written security policy document exists. If the answer is yes, I ask to see the document itself.
Make sure your contract mandates participation
Once a contract is signed, it is too easy for a third party to drag their feet in responding to a review, with some even flatly refusing. To avoid this, make sure your contract mandates a response within a given time frame.
Learn from the process
Nobody has an exclusive on good ideas. As you work through a review, take the opportunity to learn from your third parties about how they do things. If you find good ideas or better approaches, take advantages of them.
The bottom line -- work to make third-party reviews a constructive and helpful process, and not just a mandated exercise.