Pub. 16 2021-22 Issue 3

NEBANKERS.ORG 14 TECH TALK A LTHOUGH VENDOR MANAGEMENT ISN’T A SILVER BULLET to preventing vendor data breaches, it’s a necessary component to a healthy overall information security program. We’re going to continue utilizing vendor relationships, so truly managing our vendors remains extremely important. A good vendor management program contains the following components: risk assessment, due diligence, contract review, and the watch list. Vendor Risk Assessment Everything that’s good in information security starts with a risk assessment. If you cannot measure it, you cannot manage it. All of your risk assessments, including your vendor risk assessment, should help you make better decisions. Ultimately, you are seeking answers to two questions: Who do I want to do business with? Do I want to continue doing business with this vendor? You should seek to quantify the answers to these questions. Due Diligence and Contract Review This is where we’ll get the majority of our data to ensure the goodness of a vendor relationship. It’s also the most time-consuming and potentially daunting task of vendor management that frightens people and stops them from making meaningful progress. Let’s be honest, due diligence and contract review is tedious work, it takes a lot of time, and it doesn’t always feel like it’s providing adequate value. Nevertheless, it is necessary, and it need not be that daunting. As discussed above, if you have a good risk assessment, you’ll know where to focus most of your energy. If you’ve identified what you want to include in a review for each specific vendor level, you’re well on your way to having an effective vendor management program. The next step is to identify review criteria. Luckily your primary federal regulator provides you with good starting points. The FDIC, OCC, FRB, and NCUA all provide their own general criteria for due diligence and contract review. We would encourage you to go further by developing your own question sets for things like SOC reports, cloud providers, and foreign-based service providers, to name a few. Remember, the more critical the vendor, the deeper dive into the review you should do. The Watch List Occasionally a vendor review doesn’t live up to our expectations or risk appetites. A vendor not meeting expectations can be due to them providing outdated or insufficient documentation based on our requirements. It could be that upon review of those documents, troubling items were found that resulted in less risk reduction than we would have liked. If that’s the case, we are now presented with the choice of whether or not to continue doing business with the vendor. Assuming the decision is made to continue the relationship, the vendor in question should be placed Components of a Modern Vendor Management Program Cody Delzer, CISA, CDPSE, SVP IS Consultant/Regional Director, SBS CyberSecurity, LLC