Security checks are an important part of the vendor risk assessment process. They help you identify and mitigate risks that your vendors might pose to your company.

This Security checks are not just about ensuring that your vendors have a good security posture. They also help you understand how they go about securing their systems and data, as well as how they ensure compliance with industry regulations.

Many organizations rely on third party risk management vendor audits to deliver critical services for their customers, few may be mission-critical too (for example – financial institutions, organizations providing health-care related services). 

This may be either due to 

1. Specialised offerings requiring the partnership with KPO 
2. High volume transactions (requiring external support)
3. Operational reasons (for example – recession forcing to to reduce operational costs).
4. Business benefits (targeting international clients, organizations may need to engage with vendors to compete overseas. Organizations may get incidental benefits from competent vendors with respect to legal and regulatory requirements and ‘sales and marketing’ personnel who are knowledgeable about foreign geographies. Translators too may be available incidentally).
5. Benefits of cloud computing (Data storage, SaaS, IaaS)

Note : in all the above cases, sensitive personal data, health information, intellectual property will be involved – making it all the more critical (from the organization’s standpoint).

Let’s take a look at this blog,  Why is my Personal Mobile Number being asked indiscriminately? 

Organisations have to realise that any breach of any data from any touch point (either from the organisation or from the vendor) has a direct impact only on the organisation (later, on the vendor too, if involved)

Here “vendors” include (to name a few)

1. BPO (short term, long term)
2. KPO (short term, long term)
3. Consultants
4. Short term / long term hiring (off roll employees)

Security Checks for Vendors during Risk Assessment

When it comes to vendor risk assessment, it’s best to be thorough. That means making sure that you’re performing security checks on all of the vendors involved.

A thorough evaluation of the vendor from an information security perspective provides the organization to arrive at a decision and ‘’score’ the vendor so as to take a decision – whether to engage the vendor or not. 

1. Vendor’s commitment towards information security. For example
   • Vendor following a structured security program covering all areas of operations (for example availability of Information Security Policy, procedures, certification)
   • Visible physical security adherence (based on own business / client’s requirements)
   • IT infrastructure (for example – network design covering positioning of firewall, routers, switches, logical segregation)
   • IT operations (for example adherence to password policy, change management, backup, data lifecycle (creation, processing, transmission, storage, disposal) diagram with roles and responsibilities )
   • Availability of a current risk register, regular internal / external audits
   • InfoSec contracts with 4th party vendors (Vendor’s third party).
   • Financial health of the vendor
2. Compliance to Legal and Regulatory requirements
   • The Vendors’ commitment to adhere to legal and regulatory requirements (evidence : internal vendor toll gates at each stage of any process handled by the vendor).
   • Any fines paid?
   • Availability of Physical infrastructure, IT infrastructure to take care of our (my organization’s data / information requirements)
   • Vendor’s adherence to ‘rules of the land’.
3. Pointers towards Business Continuity 
   • Due diligence reveals the presence (or absence) of an IRP (incident response plan), DRP (disaster recovery plan) and a BCP (business continuity plan). Find out what should be included in a business continuity plan.
4. Extent to which the organisation will be allowed “to audit the vendor”
   • Will be included in the vendor contract appropriately (will not be a surprise later for the organisation).
5. Competency of the workforce – handling mission critical operations

Businesses are often negligent in performing thorough security checks during the vendor risk assessment process and as such, they put their own business at risk.

Conducting security checks is the responsibility of the organization. The goal of this article is to raise awareness on how to conduct a proper security risk assessment, identify weaknesses, and improve overall security.

IARM Security checks include information gathering, scanning, and penetration testing to identify weaknesses in security controls and potential vulnerabilities that could lead to a cyber attack.

IARM helps you comply with PCI-DSS, GDPR, HIPAA, and other regulatory requirements by providing full end-to-end encryption, remote activity audits, and multiple authentication and authorisation choices.