VENDOR MANAGEMENT

Vendor Management
Joseph Horowitz, CISA, CIA, CDPSE, CRMA, A/CCISO
Director of Compliance & Audit, Stetson Cybergroup
Over my 25-year career, in multiple industries I’ve worked, vendor management has been the most overlooked internal control program time and time again. Organizations of every size, in every industry, when they do take the necessary steps to identify and assess their risks, will often dismiss third-party risk. It has been common belief that once an application or system has been moved to the cloud or once a vendor has signed a contract or information security / data privacy “guarantee”, they are going to do all they can to protect the data and information with no need for any additional internal or external management and oversight…in many cases, this couldn’t be further from the truth.
In 2024 the top data breach, affecting the most victims, was via AT&T. In the AT&T third-party data set breach, over 51 million victims had their Social Security numbers, account numbers, addresses, dates of birth, emails, passwords, and phone numbers released on the dark web. And just as recently reported in December 2024, PowerSchool Student Information Systems (SIS), a cloud-hosted education technology platform used by schools and districts to manage student data, track grades, attendance, and other educational information, confirmed at least 2.7 million records were affected across 6,500 school districts impacting approximately 62.5 million students and over 9.5 million educators. In the PowerSchool SIS breach, it was determined that the hackers were able to access and download the student records by logging into one account that didn’t have two-factor authentication enabled, one of the most basic cybersecurity standards for any account, particularly one that has access to sensitive information. From there, the hackers were able to determine that user’s password and access the account.
So, how do organizations do their best to protect data and information from third-party vendor breaches? While nothing is 100% effective, every organization owes its employees, customers, and all other relevant stakeholders the best effort possible to protect their information and data from a third-party data breach.
That all begins by establishing a vendor management program. A program that requires accountability from vendors and management and oversight from those contracting with vendors. And when we define vendors, they are not just the technology vendors that make up the cloud systems and applications, they also include any vendors that have any network and/or physical access to an organization’s data, information, facilities, and people.
First, the organization should identify an individual who will be able to manage, oversee, and carry out the program effectively. This individual will need to have a good overview of the entire organization and be able to identify and assign vendor risk management tasks to others in the organization as well.
The organization’s vendor manager should be able to develop and maintain a complete and accurate vendor master file (“VMF”) of all technology and non-technology vendors used by the organization. This is usually achieved by identifying all contracts and payments to vendors. The established VMF should provide all relevant contract information on each vendor, as well as identifying who in the organization will manage the relationship and assist with onboarding and annually recurring risk assessments and identify the amount of risk each vendor poses to the organization.
Because of all these third-party vendor breaches, as part ofthe vendor risk management program, EVERY vendor should be risk assessed uponcontracting and annually to continually determine and manage the risk to theorganization. Annually, and uponcontract, the organization should require each third-party vendor to respond inwriting to such questions including, but not limited to:
· Does the third-party vendor have formallydocumented procedures related to information security and data privacy /protection?
· Does the third-party vendor perform an annualrisk assessment to determine and manage their risks?
· Does the third-party vendor consistently use,across ALL internal and external systems and applications, Multi-FactorAuthentication (“MFA”) and strong password policies (14 characters or more PLUScomplexity)?
· Does the third-party vendor enable encryption at-rest on endpoints (desktops and/or laptops)? Servers? File level?
· Does the third-party vendor enable encryption in-transit on emails?
· Does the third-party vendor require awareness and training of their employees at least annually?
· Does the third-party vendor apply all security measures to their third-party vendors, sub-contractors, and all other external parties with access to their systems, applications, and/or facilities?
· Does the third-party vendor have formally documented procedures when internal or third-parties are terminated?
In addition, third-party vendors should have annual monitoring and oversight to test their internal controls over information security. If they are a technology vendor, they should have an annual SOC 2 Type 2 assessment of information security internal controls performed by a reputable company with qualified auditors or assessors. The SOC 2 Type 2 audit will assess the technology service-providers internal controls and provide an assessment as to whether the objectives of each control were met. In addition, the SOC 2 Type 2 report will provide users / clients / customers of the service with User Consideration Controls (UCC). UCCs are a list of internal controls users / clients / customers should implement to reduce any risk(s) by the provider. Any organization using the services should make every effort to implement ALL recommended UCCs to additionally reduce the risk of a breach or other incident/ event from occurring. Organizations should be reviewing their third-party vendor SOC 2 Type 2 audits annually to ensure information security and data protection controls are still in place and are working effectively. If a vendor does not perform SOC 2 Type 2 assessments of controls, identify whether they are compliant with HIPAA, HITRUST, PCI-DSS, ISO or any other regulations or frameworks they can provide evidence.
Other internal controls of an effective vendor management program shall include formally documented onboarding and offboarding procedures to ensure access to systems and physical locations are provided with the mindset of least privilege and access is removed and payments stop when required immediately upon termination of a contract. I also always personally recommending ensuring contracts include language that requires vendors to provide evidence of information security upon request and a “right to audit” clause.
In today’s world, many organizations have offloaded many of their services and data storage to cloud solutions and/or outsource many key functions/ operations. If this is the description of your organization, or even if you only have a few outsourced vendors, start the conversation today on how and when to get the vendor management program started. If your organization has been lucky enough NOT to be affected, it’s only a matter of time before a third-party vendor breach comes knocking on your door and into your network. All organizations that try to remain fiscally responsible, including government-based or non-profits, be the “one to sue rather be the one sued”. The worst-case scenario is to be financially liable, coupled with reputational loss, when due diligence on your part was not taken.