Vendor Management – Outsourcing the Task, Not the Risk
Authored by Lindsay Timcke ; Director, IT & Cyber
One of the most overlooked areas of Cybersecurity and creating a solid defensible cybersecurity posture for your firm is vendor management. With most firms in the 21st century being heavily invested in relationships with outside vendors who monitor, develop, deploy, extract, and oversee many aspects of our network infrastructure, it is imperative that each firm approach these outside resources as just an extension of their own organization. This means the controls you have in place at your organization should also be in place at each of your vendors.
The last ten years has really driven home the fact that each company is required to do their own due diligence on their vendors as we are allowed to outsource the task but not the responsibility. It has never been easier to do this due diligence as most third parties are aware they need to operate using a solid control environment.
Consider this before hiring a vendor:
So, before hiring any vendor you should be asking for their SOC 2 Type 2 and/or their SOC 1 Type 2 (depending on the area/application being outsourced). If a company does not have a SOC report your firm needs to make a risk-based decision if you wish to use a resource that does not have a SOC. This is key as depending on what types of regulations your organization falls under you might be leaving yourselves open to potential findings next time you are audited.
How can CLA help?
CLA’s cybersecurity and data privacy team has years of experience developing policy, performing vendor review assessments, responding to cyber incidents and helping prevent them. Please contact us to help in assessing and mitigating your risk for a cyber attack.
Kadian currently works with the Information Security Services Group as well as higher education group providing compliance services, outsourcing and co-sourcing engagements and information security assessments.
Comments are closed.