I had the opportunity to develop a framework last year that proved successful, getting through over 100 initial vendor assessments. I talked to many security professionals on best practices, but did not find a model that could change based on new prioritizations with risk.
The framework was designed with the following four goals: initial assessment, measurable contract terms and warranties, yearly audits, and business value on non-compliance.
Our mission was to construct a much needed platform for leveraging existing vendors, to build competition between vendors to provide the best security services and to keep our internal associates informed on accepted risk. We determined that there were two basic security functions that need to be established to cover the audits.
The first function is developing and applying contract terms with legal and compliance requirements on data security. This function is also responsible for developing a self-assessment tool that will be used in measuring vendor compliance, reviewing the completed self-assessments, and publishing findings on an internal portal. It also entails determining risks that need to be further discussed with vendors.
The second function is taking a hard look at key strategic vendors or suppliers that manipulate regulated data. This function will take more time but will serve as a check-and-balance with the initial assessment results. Make sure that your audit team is aware of the vendor's true function in the business since changes in service can and will happen throughout the year.
After each vendor completes a self-assessment, the analyst posts the results on an internal portal for associates to access. Each vendor receives a grade.
The portal serves as a quick way for all associates to review a vendor in many areas, including security. It also provides a way to gauge changes in risk for business notification. If this happens, the contractual terms and warranties will allow the business to bring the contract up for review again to get better terms or pricing for services rendered. It will also, hopefully, mitigate the new risks that are identified.
In the end, security is being monitored and the business actually gains another marker to keep competition high for better terms and pricing. This is one area where it is clear to see the value of security translate into the company's bottom line.
Take advantage of the opportunity. Communicate and train your sourcing, legal and compliance teams that security is now joining them on their contractual journeys.
30 seconds on ... Third-party standards
The Credit Union Information Security Professionals Association (CUISPA) has proposed a Vendor Security Assurance Program for evaluating how technology vendors safeguard members' sensitive data.
One Air Force, One Network
The U.S. Air Force recently consolidated dozens of software contracts and nine support contracts with Microsoft into two agreements. The deal is valued at $500 million over six years, an expected cost savings of $100 million.
A new software system from Oracle for the U.S. Department of Defense aims to connect all domestic military bases. The network would allow officials to share information in the event of terrorist activities.
The BITS Financial Services Roundtable offers a "kalculator" on its website (http://www.bitsinfo.org), which is touted as a key risk measurement tool for information security operational risks.