Answer

Advice for developing a vendor compliance checklist for a vendor review process

I’m looking for templates or Web resources for third-party vendor audits. We are drowning in requests from our clients’ compliance departments regarding the status of our vendors and our vendor review process. Can you offer any help on how we might stem the tide?

    Requires Free Membership to View

Access to templates and Web resources for third-party vendor audits is becoming an increasingly common request due to the growing trend of outsourcing services from one company to another.  It is expected that this trend will continue to grow significantly in the coming years. Organizations should develop a comprehensive policy and procedure document that enables them to conduct the necessary due diligence initiatives on outsourced entities.

The following information can provide the necessary framework for putting together a helpful and proactive vendor compliance checklist that identifies critical issues that security professionals should receive answers on from outsourced entities. When completed by each provider, the information can be shared with clients as seen fit.  It can be called a "Vendor Due Diligence Policy and Procedure" document and should include the following:

1.  A section within a template that readily identifies all business information, such as name, DBA (if applicable), and all other relevant contact information.

2. A separate section for each of the following functional areas within outsourced entities’ business operations:

  • Executive Leadership
  • Legal
  • Compliance
  • Human Resources
  • Operations
  • Information Technology-Network Security
  • Information Technology-Logical Security (System Access)
  • Information Technology-Storage and Backup

3. A comprehensive series of questions for ensuring all material issues for each given department or business unit are being proactively addressed.

4. Common questions may include the following:

a. Within the last six months, please list and describe all new hires or departures from the organization that were of management level and above.  Please discuss in detail the reasons for their hire and departure.

b. Within the last six months, please list and describe any security threats or breaches that have occurred, both internally and externally, and include the results of these breaches, what measures were taken to address the breach, and what proactive measures have been implemented for mitigating such issues in the future.

In conclusion, security professionals have to ask from a functional business perspective what type of business divisions or units does an outsourced entity have and what issues are important to business growth and client happiness. Security professionals may also seek the resources of a proven compliance office to help develop a customized template.

This was first published in December 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: