From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Managing vendor relationships

From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Start my 1-month free trial Buy for my team

Managing vendor relationships

- [Instructor] Vendors play an important role in the information technology operations of every organization. Whether it's the simple purchasing of hardware or software from an external company, or the provision of cloud computing services from a strategic partner, vendors are integral in providing the IT services that we offer our customers. Security professionals must pay careful attention to managing these business partnerships in a way that protects the confidentiality, integrity, and availability of their organization's information and IT systems. This process is known as conducting vendor due diligence, and it protects us against many of the risks associated with acquiring hardware, software, and services. Perhaps the most important rule of thumb is that you should always ensure that vendors follow security policies and procedures that are at least as effective as those you would apply in your own environment. Vendors extend your organization's technology environment, and if they handle data on your behalf, you should expect that they execute the same degree of care that you would in your own operations, and that they meet your minimum security requirements. Otherwise, vendors may become the weak link in the supply chain and jeopardize your security objectives. Security professionals charged with managing vendor relationships may think of their job as following a standard lifecycle. It's not unusual for a large organization to add on dozens or even hundreds of new vendors in a single year, and organizations often change vendors due to pricing, functionality, or other concerns. The first step of the vendor management lifecycle is selecting a new vendor. Depending upon your organization's procurement environment, this may include anything from a formal request for proposals known as an RFP, to an informal evaluation and selection process. In either case, security should play an important role, contributing to the requirements sent to vendors and playing a role in the evaluation process. During your evaluation, you should also assess the quality and effectiveness of the provider's own risk management program. What controls, methodologies, and policies do they have in place to control the risks that might affect your organization? Once the organization selects a new vendor, the onboarding process begins. This should include conversations between the vendor and the customer that verify the details of the contract and ensure that everything gets off on the right foot. Onboarding often involves setting up the technical arrangements for data transfer, and organizations should ensure that they are satisfied with the encryption technology and other controls being put in place to protect information while it's in transit and to maintain its security while at rest in vendor systems. The onboarding process should also include establishing procedures for security incident notification. Once the vendor is set up and running, the security team's job isn't over. The vendor should then enter a monitoring phase where the customer continues to maintain strong security practices. This may include site visits and recurring conversations, and the review of independent audit and assessment reports. This maintenance phase will likely also involve the handling of security incidents that occur at the vendor's site. If the vendor never reports a security incident, this may be a red flag, as almost every organization occasionally experiences a security breach of some kind. All good things must eventually come to an end, and the reality is that even the most productive business relationships will terminate at some point. The offboarding process is the final step in the vendor lifecycle, and it includes ensuring that the vendor destroys all confidential information in its possession and that the relationship is unwound in an orderly fashion. Depending upon business requirements, the lifecycle may then begin anew with the selection of a new vendor. If you'd like to explore this topic in more detail, you may wish to review ISO standard 27036, which covers information security for supplier relationships. In particular, part four of the standard contains guidance on the security of cloud service providers.

Contents