If You Engage Vendors, You Need a Vendor Security Policy

 

In every industry, the risks inherent to doing business must be assessed and mitigated.

 

The purpose of a Vendor Security Policy is to review and classify external partners and third-parties based on the specific risks they pose to your network, and then implement controls to mitigate that liability.

 

This process can be complicated, but if you’re a small business owner, it doesn’t have to be. Here are a few essential starting points to consider while developing your Vendor Security Policy.

 

• Catalog & Classify Your Vendors

Make a list of all the third-parties you engage (vendors, contractors, etc.) and then consider how much access each one of them has to your business-critical data. Rank them (High/ Medium/ Low) according to the level and type of data that they access, store, and transmit – employee information, personally identifiable information (PII), customer data, financial records, HR information, marketing campaign information, and proprietary information.

 

• Identify Types of Risk

Consider the different types of risk that each vendor poses to your organization. Here are a few examples: Strategic, Reputation, Operational, Transaction, Credit, and Compliance.

 

• Audit Applications & Integrations

Do any of these third-parties require access to your systems? Consider the software applications that you use. How sensitive is the information stored within? Is the third-party access to this information critical?

 

• Define Risk Tolerance & Mitigation

Review the scope of your findings with each vendor, and establish agreed-upon procedures for your relationship. Outline the action items that protect both your company and the third-party from the risks associated with a cyber breach. Establish clear policies for engaging with and onboarding new vendors, including procedures for removal of access should the relationship be terminated.

 

Your business environment is unique, and any official policy or procedure should reflect that. This information is for general guidance only, and should not be used as a substitute for professional guidance.

 

We encourage you to consult with our team, or any other qualified security expert, as you work to develop the Vendor Security Policy that is right for your organization. Please give us a call 406-542-4855 with any questions or comments. We look forward to hearing from you!