Chapter Seven: Saturn

Continuing to use our solar system to represent each chapter in this series, we'll compare this chapter to Saturn. We like Saturn for the rings that wrap around it, similar to the monitoring and ongoing due diligence that we must wrap around our vendors and vendor-management programs. In this chapter, I will incorporate advice provided by TRUSTe's Debra Farber, CIPP/US, CIPM, CIPT.

By this time in the relationship, the chosen vendor has been contracted and the spend has been made. Ongoing monitoring applies to those vendors with whom you establish a continuing relationship. In large part, you will duplicate many of the measures you took for the initial due diligence, which we covered in chapter three on risk assessment.

Logistics of Monitoring

Once again, you need to establish some threshold parameters and management decisions. Determine if the ongoing monitoring will be performed centrally or in the individual business units. Determine if there is a key risk factor that drives the monitoring: for timing and frequency, scope and level of monitoring. Based on your vendor risk classification, not all of the monitoring elements below apply.

As a regulated medical device manufacturer, we at Align Technologies have to classify key vendors during onboarding for the manufacturing side of the business. Likewise, we evaluate vendors in terms of the confidential data the vendor may touch. A critical vendor for the manufacturing side, e.g., materials supplier, may be the lowest risk in terms of data. Similarly, a critical vendor for data, e.g., payroll processor, may not even hit its qualified supplier list. At times, vendors are critical on both sides, such as a data-backup vendor.

Additionally, certain vendors may also trigger internal audit processes in terms of Sarbanes-Oxley, financial controls, etc., that apply to public companies.

Performance Measures

Vendors should be monitored for certain performance measures, such as financial, relationship and compliance. In this series, we are focused on compliance to privacy and data protection but do not overlook the other performance measures that impact the company as a whole and thus impact the data.

• Consider the return on investment with this vendor. Is there a new technology that performs better? Is the vendor itself in financial trouble? Are you their main customer or one of only a few? A vendor’s reliance on only a few customers may not be fiscally responsible or beneficial. Consider whether a competitor to your current vendor would bring more value. Do not confuse better price with better value; changing vendors costs more than paying the invoice. If this is a key vendor, review its financial status. Make sure to include insurance coverage in your review.

• The vendor quality may impact your brand directly and indirectly. A fault on the vendor's side may be invisible to your customers or the relationship may be publicly linked. Review the vendor for service quality and adherence to service level agreements in the contract. You will need to pull the contract and discuss with the business units. Talk to both the business unit that uses the vendor and the departments that interact with them, typically accounts payable and IT.

• Check the vendor’s impact to customer satisfaction. This could be on an internal basis but also with your customers if the vendor feeds into your own offerings. Likely, this portion is truly on an ongoing basis and not limited to periodic evaluations. However this is monitored, capture it in your assessment. This is truly where your risk assessment has the biggest impact. Review its policies on privacy and security and look for assurance that the vendor is following its own policies. Consider whether what it is supplying you still meets legal requirements along with contractual requirements. This area of law seems to change with the tides; it ebbs and flows with the many opinions and guidances from both courts and regulators. Certainly, you can ask for independent third-party audit reports, risk assessments, internal assessments, certifications and other written documentation. Some vendors have them. Some do not. If they do not and they are a critical vendor or high risk, you may want to do your own audit. More about audits below.

• Last, pay attention to the news. At least do an online search for the vendor and see what appears. This may give you valuable insight into its stability and current status. It may not. But it’s a simple step that can often be well worth the seconds it takes to type the vendor's name into the search box.

More on Auditing

Audit is a scary word to many people. It is a tool. It is a tool that can have devastating impacts or can significant reassurance. This chapter certainly will not pretend to cover all aspects of auditing, but let’s touch on some key parts.

As we briefly covered in the last chapter on contracting, you should have audit rights covered in the contract. Most times, this is not a huge area of debate for the vendors, but sometimes it can be. I have had a vendor want to charge me $30,000 to audit, plus paying for the mandatory personnel to work with me and any fees for third parties if I desired to have that report. I have also had them request that I have no access to anything other than a statement by the third party to the effect that the vendor was compliant. There can be many complicating factors, but the more complicating factors I see, the more red flags I see. These cautious provisions may indicate something should be audited by a third party and they may indicate only that the vendor has many customers who request audits and it is disruptive to its business. Should you see these types of complications, call the vendor. Often, a frank conversation can eliminate concerns.

• Desktop audits. This is a type of audit I like for medium- to low-risk vendors. One report I saw indicated that vendors are asked if they have policies but not asked to produce them. Trust but verify. Ask for copies. And read them. A desktop audit consists of asking for policies, reports, certifications, risk assessments and any other documentation you determine is required. Resend their initial security questionnaire if applicable and have them update it. Review the contract and talk to your internal departments for issues. Do an online search. Review the vendor’s website for whitepapers, press releases, statements, etc. If public, pull their filings. Of course, you should identify what level of effort and scope you wish based on their risk. 

• In-person audits. You can perform an in-person audit or pay a third party to do it on your behalf. You will need to ensure whoever does the visit is trained and understands how the controls apply to your business. You need to work with your vendor to minimize disruption to its business as well as yours. If you go to this extent, assess your budget in advance and coordinate with other departments. Your internal audit may also be interested, as well as other compliance areas. Leverage your resources.

• Third-party reports, certifications, standards. Ask the vendor for audit reports. In the privacy world, this is likely a SOC2 (Service Organization Controls). It is a relatively new report that address privacy and security controls based on the history of asking organizations for a SAS70, which the SSAE16 guidance replaced (SOC1 report) even though the SAS70 (and now SOC1) addresses financial controls, not privacy/security. The key piece of information is that if you want a standard report, ask for a SOC2 and make sure you know what it covers. If the vendor does not have one, ask for what it does have.

Some certifications such as self-certified to the EU/U.S. Safe Harbor to transfer data from Europe to the United States are easily verified online. Other  certifications, such as the ISO27k series should have a report to substantiate certification. I also like to ask for certification to the cloud controls matrix through the Cloud Security Alliance (yes, I know this is a security offering, but security matters to privacy). A related report is the HITRUST assessment, which can be mapped to the SOC2. Often, vendors will tout these certifications/reports on their website, too. What if your vendor has none of these? This is not unusual. Third-party reports can be cost-prohibitive. The industry wants assurance that data  handlers are safe and there is no one single methodology to do this. There is not even a standardized security assessment report, and vendors are deluged with requests for various audits, reports, questionnaires, reviews, etc. It becomes too much to manage. There should be one standardized approach for questionnaires to do your upfront risk assessment and a clear matrix of standards/frameworks so professionals on both sides can clearly and readily identify the gaps.

So what to do if your vendor has no report? This depends on your risk analysis and how critical it is to your business. You can do an in-person audit or desktop audit as referenced above, or you can pay a third party to audit. You can also work with your vendor to see if it plans to seek certification or a certain type of report and work with the vendor on the timing and scope.

These audit reports start to get confusing with the acronyms and all. For a more thorough overview and understanding, please click here.

Miss the first installments of this series? Find them here at the IAPP’s Resource Center.