Manage Learn to apply best practices and optimize your operations.

Vendor risk management: process and documentation

As part of the vendor risk management process, regulators expect information security officers will document vendor relationships and have proper vendor documentation.

In managing vendor contracts, it's important to take process into account. Contracting is not a compliance obligation to be undertaken in isolation, but is an integral part of a financial institution's comprehensive information security program. A regulator questioning an institution's information security officer will expect that individual to maintain an updated list of third-party vendors who have access to non-public personal information as well as information about what types of data they have and the institution's risk classifications for those vendors. (PCI DSS Requirement 12.8 similarly requires covered entities to maintain a list of service providers with whom cardholder data is shared.) To back up the institution's vendor risk assessments in conversations with regulators and auditors, it is also helpful to keep handy files containing due diligence and audit reports on the vendors or summaries of such reports.

Copies of important vendor contracts and personnel qualified to discuss the company's contracting strategy should be readily available during any regulatory examination. Not knowing who your vendors are or what information they have is a sure way to get a poor safety and soundness rating. To help facilitate the proper vendor documentation, corporate legal departments should utilize contract management database software to track vendor relationships and flag those contracts deemed high-risk from an information security standpoint, so that, for example, the database administrator can easily print out a list of all contracts where the vendor has access to account or Social Security numbers.

Overall, it's critical to keep tabs on important vendor contracts and avoid creating silos within an organization. A financial institution's legal, operations, compliance and information security personnel must all be knowledgeable and in agreement when dealing with regulators. It is of little value, for example, if a firm's counsel includes robust audit rights in a vendor contract if those audit rights are never exercised or, even if they are, the information security officer cannot present documentation showing the audit actually took place.

Ultimately, contracts aren't just to make lawyers happy. Contracting is a critical component of vendor information security risk management. Understandably, and particularly in these cash-strapped times, there is often a desire to purchase IT solutions quickly based on lowest available pricing. However, for financial institutions and increasingly for non-financial organizations as well, well-structured contracts are no longer just a lawyer's obsession. They are the concern of regulators and legislators and must be seen as a compliance obligation. However, with IT managers, information security officers, and counsel all on the same page, and with vendors increasingly sensitized to the issue, the new emphasis on contracting does not have to mean endless bottlenecks and delays.

About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at [email protected]


  Vendor contract management: Regulatory guidance is risk-based
  Vendor audit and monitoring contractual rights
  Data breach protection: Implementing vendor breach safeguards
  Vendor risk management: process and documentation


This was last published in September 2009

Dig Deeper on Information security program management