Vetting Your Vendors: A Guide to Performing Due Diligence

Posted by Sean Mackey

March 29, 2017 at 1:30 PM

vetting your vendors

Your clients rely on you to protect their sensitive information, so it’s important that the vendors you work with have safeguards in place to keep this information safe and secure. Not to mention the fact that the law requires due diligence of business owners who have access to, maintain, or store a consumer’s sensitive information.

But with the array of technology products and services available, you may find it difficult to properly assess the security standards of potential vendors and identify any loopholes or red flags. Here, I’ll walk you through the process for vetting your vendors—including how to evaluate whether they are adequately prepared to defend against threats to sensitive information and unauthorized access that could result in harm to your clients.

Download our free questionnaire for a step-by-step guide to vetting your vendors.

Information Security Program

Be sure that any vendor you’re considering has an information security program in place. This program should outline technical, physical, and administrative safeguards specifically designed for protecting sensitive information. These safeguards may include, for example:

  • Strong password requirements
  • Account lockouts
  • Idle browser session timeouts

Physical Security

When evaluating a vendor’s physical security, you’ll want to take note of the location and number of data centers. In the event of natural or environmental outages or disaster, storing data in multiple data centers provides better protection. It also helps improve the uptime of your data and the ability to recover from data loss. You might also ask for a copy of the vendor’s physical security policies, and verify that they cover building security, shredding and disposal procedures, and backup/redundancy.

Data Security Policies

When it comes to a vendor’s data security policies, here’s the bottom line: Sensitive information should be encrypted at rest, and you should hold the encryption key. That way, if a privacy breach does occur on the vendor side, your data will be meaningless to whoever gains unauthorized access.

Also, role-based access is a necessity. That is, only authorized vendor employees should have access to sensitive information, and authorization should be based on a business need.

Systems Security

Any vendor you partner with should use software that is set up to receive the most current security updates on a regular basis—so your sensitive data won’t be left vulnerable. Vulnerability assessments should be performed on a continual basis, and a change management procedure should be in place, as software changes could open up security holes in the vendor’s system. Finally, antivirus programs are a requirement, and they should offer real-time scanning protection on all computer systems.

Industry Standards for Network Security

By law, industry-standard firewalls are required. These firewalls should be deployed and kept current, and access to firewalls should be allowed only through Transport Layer Security (TLS). TLS ensures that records and files containing sensitive information are encrypted when transmitted wirelessly (also a requirement by law). Intrusion detection systems are typically included in firewall hardware/software, as are intrusion prevention systems.

Privacy and Confidentiality Controls

You want any third-party vendor to take the responsibility of securing your sensitive information as seriously as you do. Accredited audits, including SSAE 16 or SOC 1 and 2, are one way to test and validate your vendor’s controls and safeguards against known industry standards.

Of course, successful completion of these certifications doesn’t guarantee security. But it does help establish that your vendor has effective controls in place.

Performing Your Due Diligence

Vendor/third-party due diligence and oversight have risen to the top of FINRA’s and the SEC’s examination priorities lists, and examiners are looking for evidence of a due diligence process from financial institutions, large or small. No matter what state your branch or clients are in, you must ensure that you are abiding by the federal information security laws, which require financial institutions to safeguard the security and confidentiality of customer information and protect that information against any threats or risks.

Ultimately, it is your decision whether to entrust this information to a third party. But by following the due diligence process for vetting your vendors, you will get the vital information you need to make an educated decision and guarantee compliance with the laws and regulations.

What other areas of concern do you cover when vetting your vendors? What red flags have you noticed as you work with different vendors? Please share your thoughts with us below.

Editor's Note: This post was originally published in November 2015, but we've updated it to bring you more relevant and timely information.

Vendor/Third-Party Security Due Diligence Worksheet

                      Subscribe to the Commonwealth Independent Advisor            

Topics: Information Security

New Call-to-action
The Independent Market Observer, Brad McMillan

Follow Us