Vendor management is the process of evaluating, onboarding, monitoring, and eventually offboarding your organization’s service vendors—the organizations that store, process, or transmit data on your behalf. Vendor management should be a priority for you because almost every company needs vendors, and vendors make you vulnerable to security threats.
This document provides a high-level explanation of why vendor management is important; the essentials of an effective vendor management program; and information on how to use Aptible’s various vendor management tools and features to manage vendors securely.
Vendor management is important for at least two reasons:
it helps entities organize and keep track of their third-party service providers and any related obligations and, as a consequence
it helps companies identify (and prepare for) potential security events. As for security, a compromised vendor is a common cause of security incidents and breaches. Do you remember how Target suffered a major breach in 2013? That was caused by a hacker stealing one of Target’s vendor’s credentials. As this example illustrates, companies must consider its service provider’s data security programs as extensions of their own.
Many Companies Use Vendors, Especially Small SaaS Companies. Companies often use the services of other organizations, no matter their size. And if you’re a small SaaS company, you almost certainly need service vendors to do most of the work that is outside the scope of your main product or service including activities that involve sensitive or regulated data. This means you need to take vendor management just as seriously as (if not more seriously than) your larger counterparts. And the only way you can mitigate the risks posed by relying on vendor services is to adopt a comprehensive vendor management system.
If You Have Vendors, You’re Always Vulnerable. Your service vendors generally have access to information about your company and your customers. As a result, not only do you need to ensure your vendors take data security seriously (for instance, through imposing contract terms), but you need to have a systematic approach to assessing and monitoring your relationships with the entities that have access to your information. Even with the most comprehensive and effective internal Security Management program for your organization, if any one of your vendors falls short, then that means you’re vulnerable.
When considering how to implement a vendor management program, it’s useful to break up your processes based on the vendor life cycle: screening potential vendors, onboarding vendors (contracting and logging/tracking), continuously monitoring vendors, and eventually terminating vendors. At each step in this life cycle, there are security and privacy implications.
Vendor screening is an indispensable part of vendor management. Once you onboard a vendor and grant it access to your information systems or data, your primary mechanisms to monitor the vendor are to request updated audit reports; to inspect or audit the vendor yourself (if permitted by the contract); and to wait for your vendor to notify you about an incident or breach the vendor experienced. (One important caveat is that a vendor typically will report only incidents and breaches consistent with the terms of their contractual agreements—no more and no less.) As a result, applying a thorough screening process is one of your primary tools to ensure you’re giving your data to a trustworthy recipient.
When you screen a potential vendor, your goal is to make sure the vendor has adopted—and follows—a minimum set of security and privacy best practices that apply to your data and information systems. The consequence of accepting a vendor that does not meet your security and privacy standards could include:
falling out of compliance with government regulations such as HIPAA, CCPA, and the GDPR;
jeopardizing certifications such as HITRUST and ISO 27001;
harming your chances of securing clean audit reports, such as SOC 2 Type 2 reports;
impairing your company’s ability to respond successfully to future customer’s inquiries about your security and privacy practices; and
violating contractual agreements with existing customers.
There are three primary ways to screen potential vendors (these aren’t mutually exclusive options):
review the vendor’s security certifications or audit reports (e.g., ISO 27001 certifications or SOC 2 Type 2 reports);
obtain a contractual commitment from the vendor to maintain data security or privacy standards (this is especially relevant for HIPAA and GDPR); and
evaluate the vendor’s security using an audit or security questionnaire or vendor security assessment (VSA).
When you assess a vendor using any of these methods, it is important to ensure the vendor’s certification, report, agreement, or questionnaire covers the vendor’s entire business or, at a minimum, the parts of their business that will store, process, or transmit your data.
Method One: Reviewing Certifications or Audit Reports. The most common way to screen vendors is to rely on a recognized security or privacy certification or audit report as a proxy for appropriate data security practices. This includes things like ISO 27001 certifications, SOC 2 Type 2 reports, HITRUST certifications, and FedRAMP ATOs.
But a certification isn’t everything. While it is generally reasonable for you to have a baseline level of comfort based on a vendor’s security certification or report, there are a couple of cases where you’ll want to look beyond the certification, such as when:
Your company holds itself to a higher standard than the certification framework.
Your company has privacy requirements that fall outside the scope of the certification. GDPR falls into this category as well as HIPAA if the vendor does not have a HITRUST certification.
Method Two: Contractual Security and Privacy Requirements. Another common way to screen vendors is to impose obligations on vendors to maintain certain data security or privacy standards.
If you intend to address security or privacy requirements in your service contracts, you will want to include at least the following (regardless of the security or privacy protocol you’re targeting):
the scope of the business relationship and services offered;
performance or service levels;
known compliance and regulatory obligations;
information security requirements;
termination of the business relationship;
non-disclosure of confidential information; and
vendor obligations to enforce security requirements and standards throughout the entire supply chain.
Method Three: VSAs and Security Questionnaires. If you rely on a security questionnaire, then you should ask questions that will help you determine whether the vendor has policies and procedures in place that align with your security program (HITRUST, ISO 27001, SOC 2, or whatever it might be) and whether the vendor is executing those policies and procedures. If a vendor attests to operating an ISMS with policies and procedures that align with your company’s security program, then that should be sufficient for you to begin to move forward with a formal relationship with that vendor. However, you should attempt to implement some monitoring or verification system (e.g., regular updates, audits, etc.).
At minimum, you will want to make sure your vendors implement the following safeguards:
the vendor mitigates and contains data security risks through proper separation of duties, role-based access, and least privilege access for all personnel within their supply chain;
the vendor integrates information security controls in its support processes applicable to its contractual relationship with your organization;
the vendor inspects, accounts for, and corrects data-quality errors and associated risks;
the vendor makes security incident information available to your organization;
the vendor ensures that its workforce members who will support your organization—or have access to your data or information systems—have the required skills to perform their assigned responsibilities; and
the vendor complies with all service-level agreements (SLAs).
Note: Any data center provider you contract with should not only meet the minimum security standards imposed on all vendors, but should also have controls in place related to physical and environmental security, including but not limited to, controlling physical access points, maintaining secure equipment disposal policies, and operating an asset management program.
If you’ve determined that a potential vendor meets your baseline security and privacy requirements, the next step is to make sure the vendor signs a valid vendor agreement. This should be done for every vendor, whether or not the vendor already has an ISO 27001 certification or SOC 2 Type 2 unqualified audit report. The reason: even if the vendor has a security certification or some other collection of broadly sensible data security practices, you will want to make sure you bring the vendor’s practices in line with your own data security expectations, which could go beyond or deviate from SOC 2 and ISO 27001’s baseline recommendations.
It’s generally a good idea to make sure that your vendor agreement includes the security and privacy requirements you care most about. See Minimum Security and Privacy Practices to Look For.
If your company is subject to the requirements of the United States’ Health Insurance Portability and Accountability Act (HIPAA) or the EU’s General Data Protection Regulation (GDPR), you may also need to enter into unique legal agreements with your vendors. These agreements—business associate agreements (BAAs) under HIPAA, and data processing agreements (DPAs) under the GDPR—should be prepared in consultation with an attorney. It is important to remember that even if your vendor has agreed to sign a BAA or DPA, you still have an obligation to determine whether the vendor has the capacity to meet the obligations in the agreement.
Note: You should consult your counsel for any questions related to your obligations under HIPAA and the GDPR.
Because you may have dozens of vendors, organization is key. As you onboard vendors, make sure to update your vendor management tool to account for new vendor contracts, renewed vendor agreements, and vendor terminations. Once a vendor has been screened and all of the applicable agreements signed, you should add the vendor to your vendor management tool. You should log as much information as possible, including and especially:
the vendor name;
the vendor owner (i.e., the person or team responsible for managing the vendor relationship);
a record of your screening process, including, for instance, the security certifications or reports the vendor holds and that you reviewed;
whether the agreement contains language about enforceable information security requirements; and
whether the agreement has clear reporting or breach notification requirements.
As you acquire more and more vendors, and as your team grows (and responsibilities begin to overlap and blur), it becomes more difficult to ensure that each new vendor is being properly vetted prior to important data being sent to them.
To help, Aptible has created vendor-specific workflows designed to make the process of onboarding vendors a breeze. Each vendor onboarding workflow includes a responsible team or lead; a deadline by which the vendor must be onboarded; the ability to take notes about the particular vendor; and—importantly for compliance purposes—a log of all vendors that have been onboarded in the past.
To learn more, check out Aptible Comply Workflows.
Finally, because your vendors will generally have access to your data, your information systems, or both, the end of a vendor relationship has a number of security implications. In order to ensure that your data remains safe at the end of a vendor relationship, make sure to“offboard” your vendors appropriately. At a minimum, you should do the following:
First, if the vendor had access to any of your information systems, you should make sure to revoke the vendor’s access.
Second, if the vendor possessed any of your data, you should ensure that the vendor either deletes all copies of it, or returns it. In either case, make sure to confirm that the vendor did, in fact, delete or return the data.
Third, you should log that you offboarded the vendor. For audit logging purposes, it will be important to track when a vendor is fully offboarded.
Aptible Workflows helps you easily keep track of offboarded vendors. Just trigger the “Vendor relationship terminated” event, which will surface a checklist of everything you have to do to successfully offboard the vendor.
To learn more, check out Aptible Comply Workflows.
Make sure you consult your counsel before entering into any regulated agreements, including BAAs. For background on BAAs, check out our article, What is a HIPAA BAA?
Again, make sure to consult your counsel before entering into any regulated agreements. The GDPR includes a number of requirements related to DPAs. For more information, review GDPR Article 28.
While Aptible has not published a template DPA, there are plenty available online. See, for example, Proton Technologies’ template DPA, or one from the International Association of Privacy Professionals (IAPP).
At a minimum, you should screen and inventory all vendors that will have access to your information or information systems. This includes communication tools like G Suite, CRM tools like Salesforce, and hosting platforms like Aptible and AWS.