Vetting Your Vendors: A Guide to Performing Due Diligence

Posted by Rachael Mosher

November 17, 2015 at 10:00 AM

vetting your vendorsWith the array of technology products and services available, deciding on one to best meet your business needs can be overwhelming. But your clients rely on you to protect their sensitive information, so it’s important to select vendors that have safeguards in place to keep this information safe and secure. Plus, due diligence is required by law for business owners who have access to, maintain, or store a consumer’s sensitive information: It’s your responsibility to perform due diligence when considering any vendor that will have access to such information.

So, what questions should you ask when vetting your vendors? Here, I’ll walk you through the vetting process so you can properly assess the security standards of potential vendors and identify any loopholes or red flags. By following these steps, you can make an educated choice, finding the best vendors for you and your clients.

6 Questions to Ask When Vetting Your Vendors

By knowing what to look for in the vetting process, you’ll be able to gauge how prepared a vendor is to defend against anticipated threats to the integrity of this information and unauthorized access or use that could result in harm and inconvenience to your clients.

1) Does the vendor maintain an information security program? The vendor should have an information security program in place containing technical, physical, and administrative safeguards specifically designed for protecting sensitive information. These safeguards include, but are not limited to:

2) How does the vendor handle physical security? Physical security includes the location and number of data centers. Storing data in multiple data centers provides better protection in case of natural and environmental outages and disasters. It also helps improve the uptime of your data and the ability to recover from data loss. Other physical security procedures should include building security, shredding and disposal procedures, and backup/redundancy. It never hurts to ask the vendor for a copy of any physical security policies.

3) What are the vendor’s data security policies? Sensitive information should be encrypted at rest, and you should hold the encryption key. That way, if a privacy breach does occur on the vendor side, your data will be meaningless to whoever gains unauthorized access. It’s also important to know who has access to your encrypted data at rest and to the encryption keys. Role-based access is a necessity. Only authorized vendor employees should have access to sensitive information, and authorization should be based on a business need.

4) What does the vendor offer in terms of systems security? Antivirus programs are a requirement, and they should offer real-time scanning protection on all computer systems. Vulnerability assessments should be performed on an ongoing basis. If a vendor’s software is set up to receive the most current security updates on a regular basis, your sensitive data won’t be left vulnerable. Also, a formal change management procedure should be in place, as changes made to software could open up security holes in the vendor’s system.

5) Does the vendor’s network security meet industry standards? Industry-standard firewalls are required by law. These firewalls should be deployed and kept current. Access to firewalls should be allowed only through Secure Sockets Layer (SSL) or Transport Layer Security (TLS). These protocols ensure that records and files containing sensitive information are encrypted when transmitted wirelessly, also a requirement by law. Intrusion detection systems are typically included in firewall hardware/software, as are intrusion prevention systems.

6) Does your vendor have effective controls to ensure privacy and confidentiality of data? It’s helpful to think of the vendor as an extension of your branch. This means that the vendor should take the responsibility of securing your sensitive information as seriously as you do. Examples of accredited audits to test and validate your vendor’s controls and safeguards against known industry standards include SSAE 16 or SOC 1 and 2.

Successful completion of these certifications doesn’t guarantee security, but it goes a long way in proving your vendor has effective controls in place.

Due Diligence Is Required!

Vendor/third-party due diligence and oversight have risen to the top of FINRA’s and the SEC’s examination priorities lists, and examiners are looking for evidence of a due diligence process from financial institutions, large or small. No matter what state your branch or clients are in, you must ensure that you are abiding by the federal information security laws, which require financial institutions to safeguard the security and confidentiality of customer information and protect that information against any threats or risks. A surefire way to guarantee compliance with the laws and regulations is to perform due diligence—in part by vetting your vendors by asking the questions provided here.

Make the Educated Choice

Assessing the vendor’s responses, identifying the appropriate safeguards and controls, and noting any red flags that could leave your sensitive information vulnerable are vital to keeping your clients’ sensitive information safe. Ultimately, it is your decision whether to entrust this information to a vendor. By following this due diligence process, however, you will get the vital information you need to make an educated decision—and the best one for your business.

What other areas of concern do you cover when vetting your vendors? What red flags have you noticed as you work with different vendors? Please share your thoughts with us below. 

Vendor/Third-Party Security Due Diligence Worksheet

                      Subscribe to the Commonwealth Independent Advisor            

Topics: Information Security

Commonwealth Business Review
5 Ways to Affiliate
The Independent Market Observer, Brad McMillan

Follow Us