USA : +15512422980   |   India : 18001021532(Toll-Free)

USA : +15512422980   |   India : 18001021532(Toll-Free)

The Importance of Security checks during Vendor Risk Assessment

IARM Information Security > Blog > The Importance of Security checks during Vendor Risk Assessment

Many organizations rely on third party risk management vendor audits to deliver critical services for their customers, few may be mission-critical too (for example – financial institutions, organizations providing health-care related services). 

This may be either due to 

  1. Specialised offerings requiring the partnership with KPO 
  2. High volume transactions (requiring external support)
  3. Operational reasons (for example – recession forcing to to reduce operational costs).
  4. Business benefits (targeting international clients, organizations may need to engage with vendors to compete overseas. Organizations may get incidental benefits from competent vendors with respect to legal and regulatory requirements and ‘sales and marketing’ personnel who are knowledgeable about foreign geographies. Translators too may be available incidentally).
  5. Benefits of cloud computing (Data storage, SaaS, IaaS)

Note : in all the above cases, sensitive personal data, health information, intellectual property will be involved – making it all the more critical (from the organization’s standpoint).

Let’s take a look at this blog,  Why is my Personal Mobile Number being asked indiscriminately? 

Organisations have to realise that any breach of any data from any touch point (either from the organisation or from the vendor) has a direct impact only on the organisation (later, on the vendor too, if involved)

Here “vendors” include (to name a few)

  1. BPO (short term, long term)
  2. KPO (short term, long term)
  3. Consultants
  4. Short term / long term hiring (off roll employees)

A thorough evaluation of the vendor from an information security perspective provides the organization to arrive at a decision and ‘’score’ the vendor so as to take a decision – whether to engage the vendor or not. 

  1. Vendor’s commitment towards information security. For example
    • Vendor following a structured security program covering all areas of operations (for example availability of Information Security Policy, procedures, certification)
    • Visible physical security adherence (based on own business / client’s requirements)
    • IT infrastructure (for example – network design covering positioning of firewall, routers, switches, logical segregation)
    • IT operations (for example adherence to password policy, change management, backup, data lifecycle (creation, processing, transmission, storage, disposal) diagram with roles and responsibilities )
    • Availability of a current risk register, regular internal / external audits
    • InfoSec contracts with 4th party vendors (Vendor’s third party).
    • Financial health of the vendor
  2. Compliance to Legal and Regulatory requirements
    • The Vendors’ commitment to adhere to legal and regulatory requirements (evidence : internal vendor toll gates at each stage of any process handled by the vendor).
    • Any fines paid?
    • Availability of Physical infrastructure, IT infrastructure to take care of our (my organization’s data / information requirements)
    • Vendor’s adherence to ‘rules of the land’.
  3. Pointers towards Business Continuity 
    • Due diligence reveals the presence (or absence) of an IRP (incident response plan), DRP (disaster recovery plan) and a BCP (business continuity plan). Find out what should be included in a business continuity plan.
  4. Extent to which the organisation will be allowed “to audit the vendor”
    • Will be included in the vendor contract appropriately (will not be a surprise later for the organisation).
  5. Competency of the workforce – handling mission critical operations

Do you want to learn more about how IARM can assist you in enhancing and scaling your vendor risk management programme? Request a consultation with one of our experts right now!

Inquire Now

IARM helps you comply with PCI-DSS, GDPR, HIPAA, and other regulatory requirements by providing full end-to-end encryption, remote activity audits, and multiple authentication and authorisation choices.

IARM access to supports your business and minimises remote security threats can help you take your third-party management programme to the next level. We incorporate advanced security standards into your third-party vendor management programme and offer virtual private solutions and tools to protect your company, vendors, and business partners.

Leave a Reply