Policy, Program and Procedures

 View Only
  • 1.  vendor management policies

    Posted 03-23-2021 09:59 AM
    I am looking for examples of vendor management policies addressing Vendors and IT assets selection criteria during due diligence process. More specifically: 
    1. What due diligence documents do you request from new vendors ? is it based on the vendor level/category ? if so what are those categories
    2. What do you do for due diligence when you are looking into buying additional software or products from a vendor that you are already doing business with ? 
    3. Do you have a specific requirement for vendors to carry cybersecurity insurance ?


  • 2.  RE: vendor management policies

    Posted 03-30-2021 04:12 PM
    Hi Kouadjo,

    Due diligence should be based on the level of risk assigned to the vendor; that risk rating usually correlates with the inherent risks based on the product or service they provide. For example, suppose a vendor uses your customer data to provide verification for a loan. In that case, they are probably rated high-risk or critical, based on their access to PII.  Therefore, you would want to ensure that the due diligence included reviews of the vendor's information security policies, procedures, independent third-party audits, etc.

    Each organization has different rules that apply when purchasing additional products or services that you already utilize. But the general approach should be the same; you must objectively evaluate the inherent risk in the product or service you wish to purchase. You should consider the following:

    • Is the product uniquely different than others you have purchased from the vendor, i.e., would there be additional inherent risks not previously identified? For example, a SaaS application hosted on your network has a different risk profile than one hosted in the cloud. Therefore additional due diligence review of the controls is necessary to manage those risks.
    • Is the vendor you are currently using in good standing?
    • Do the existing contract terms adequately address new or emerging risks from the additional product?
    • Are the vendor's current insurance type and coverage amount sufficient if you add an additional product?

    Related to Cyber Insurance, it is highly advisable to require your vendors to carry Cyber Insurance when they provide products or services where they access, process, transfer, or store PII data. They should carry cyber insurance as a separate policy from general liability or professional liability insurances. You may wish to have the vendor add your organization as an additional insured entity in some cases. Remember that insurance coverage can be a highly complex issue. It is advisable to either consult your organization's legal team or insurance provider for more advice.

    I hope you found this information helpful. I would love to see what other community members can add.