Security Officers often focus on locking down their network, training their employees, and securing their facilities. Yet the biggest security risk may be outside the organization. The 2017 Ponemon Institute Report (Data Risk in the Third-Party Ecosystem, September 2017) found that 56% of respondents experienced a data breach caused by one of their vendors. This is a 7% increase from the previous year.
How do you know that your vendors have rigorous security and compliance programs in place to protect your data? Do you even know who your vendors are? Do you know how much data they have? Eagle Consulting Partners can assist with your data governance, prioritize vendors in terms of risk, and then validate the security, confidentiality, and compliance of these vendors.
Organizations generally are responsible for – and bear the legal and financial impact of – security breaches and/or security incident at one of their vendors. Generally accepted security frameworks such as ISO 27001/27002 and AICPA Trust Services Criteria include controls for 3rd party management. Under HIPAA, an organization bears liability for actions done by their contractors (Business Associates). Sarbanes-Oxley (SOX) mandates 3rd party management.
Eagle uses multiple protocols and instruments to assess the security and compliance of your vendors. These instruments include inexpensive, evidence-based evaluations to more elaborate evaluations. We offer evaluations that require evidence of the organization’s security posture, and not merely the completion of a questionnaire.
For example, Eagle can confirm and document the vendor’s security protocols for data transmission, data-at-rest, and data handling, the presence of appropriate security policies, and the presence of a legitimate security risk assessment, and other indicators of an appropriate security program. Additional activities can be included based on your situation.
Through this vendor security evaluation process, you can clarify expectations with your vendors, validate their security and compliance programs, partner with them to improve their security posture… or occasionally realize you might need to make a change for the good of your organization.
Build peace of mind and trust in your vendors. Contact us today to discuss tailored recommendations for your vendor management needs.