I’m looking for templates or Web resources for third-party vendor audits. We are drowning in requests from our clients’ compliance departments regarding the status of our vendors and our vendor review process. Can you offer any help on how we might stem the tide?
Access to templates and Web resources for third-party vendor audits is becoming an increasingly common request due to the growing trend of outsourcing services from one company to another. It is expected that this trend will continue to grow significantly in the coming years. Organizations should develop a comprehensive policy and procedure document that enables them to conduct the necessary due diligence initiatives on outsourced entities.
The following information can provide the necessary framework for putting together a helpful and proactive vendor compliance checklist that identifies critical issues that security professionals should receive answers on from outsourced entities. When completed by each provider, the information can be shared with clients as seen fit. It can be called a "Vendor Due Diligence Policy and Procedure" document and should include the following:
1. A section within a template that readily identifies all business information, such as name, DBA (if applicable), and all other relevant contact information.
2. A separate section for each of the following functional areas within outsourced entities’ business operations:
- Executive Leadership
- Human Resources
- Information Technology-Network Security
- Information Technology-Logical Security (System Access)
- Information Technology-Storage and Backup
3. A comprehensive series of questions for ensuring all material issues for each given department or business unit are being proactively addressed.
4. Common questions may include the following:
a. Within the last six months, please list and describe all new hires or departures from the organization that were of management level and above. Please discuss in detail the reasons for their hire and departure.
b. Within the last six months, please list and describe any security threats or breaches that have occurred, both internally and externally, and include the results of these breaches, what measures were taken to address the breach, and what proactive measures have been implemented for mitigating such issues in the future.
In conclusion, security professionals have to ask from a functional business perspective what type of business divisions or units does an outsourced entity have and what issues are important to business growth and client happiness. Security professionals may also seek the resources of a proven compliance office to help develop a customized template.
This was first published in December 2011