Verifying Vendors' Security Programs
Consultant Rebecca Herold Offers Vendor Management TipsOrganizations need to carefully assess - and then verify - the data security controls their existing and prospective vendors have implemented, says privacy and security expert Rebecca Herold. She offers a range of vendor management tips in an in-depth interview with Information Security Media Group.
"Regardless of whether you've had a vendor for several years already, or are just considering getting [a new] one, do an assessment to see the kinds of controls they have in place and to see the kind of privacy and security program that have actually implemented," she says.
More important, she says, is to "make sure you collect actual verifiable evidence that they're actually doing what they say they do."
Even when dealing with a vendor that an organization has been working with for years, "don't assume that they're doing what they need to do," Herold stresses. "Have the vendor perform a risk evaluation of their program to make sure they have [controls] that are appropriate in place. That evidence is certainly important."
Right to Audit
In addition, entities should include in their vendor contracts a "right to audit clause," she stresses.
"That clause is so important because it gives you the right - if you suspect something is not quite right or that there are signs of risks - to gain insights into their environment," she notes.
"Not having [the clause] might keep you out and you may not get the information you need to make a decision about whether or not you should continue on with the business relationship with that vendor, or cut it off and find someone else."
In the interview (see audio link below photo), Herold also discusses:
- Ways organizations can monitor and verify their vendors' security practices;
- Key processes and technologies to help navigate vendor risk;
- The most troubling emerging security threats and risks posed by vendors.
Herold is president of SIMBUS LLC, a cloud-based privacy and security firm, and CEO of The Privacy Professor, a consultancy. She is author of 19 books on information security and privacy.