Vendor due diligence can help avoid these scenarios. Unfortunately, 31 percent of organizations fall short. They report being “well under optimal maturity level with regard to accessing and managing critical vendors.”
Below, we’ll cover everything you need to know to ensure your company doesn’t fall in that 31 percent.
After issuing a request for proposal (RFP) and evaluating responses, identify a vendor shortlist. The shortlist should be a group of four or five vendors that might make the final selection. Then, conduct a due diligence assessment of these vendors.
Below, we’ve created a vendor due diligence flowchart that shows how to complete the process. It comes down to having your information technology, human resources and legal teams independently assess each vendor.
After the assessments are done, evaluate the vendors approved by each department. Then make your final selection.
According to Whistic, a website dedicated to providing the latest insights and updates on information security and third-party risk management, during this evaluation, you should also complete the following tasks:
Recommended additional tasks to complete along with the security assessment
Track down appropriate vendor contacts or internal stakeholders
Communicate internally with stakeholders during the procurement process to facilitate the security review
Gather information on the services the vendor will be providing
Understand what company information or applications the vendor will have access to
Determine what risk level the vendor poses to your organization
Piece together the right questions for the vendor
Send a questionnaire request to the vendor
Follow up with the vendor to remind them to complete the questionnaire
Review vendor responses and documentation to evaluate risk
Draft vendor action plan or determine next steps to protect your organization
Ensure that you have organized questionnaires and documentation in appropriate repositories for storage
Remember, vendor risk management doesn’t end after you make a purchase. It’s a key part of the supplier relationship management process that lasts throughout the entire partnership.
To be safe, we recommend conducting vendor due diligence on a recurring basis — quarterly, biannually, or annually.
Events to prompt a security audit
Conduct audits to determine the vendor’s performance since your last evaluation. Then, consider any new developments that might impact risk, like:
Mergers and acquisitions involving the vendor
Updated or new features and enhancements
Changes in leadership
Assessing vendor compliance
One of the most important aspects of vendor due diligence is assessing compliance. Many organizations need their vendors to comply, or at least support compliance, with regulations like:
“Title I of the Americans with Disabilities Act of 1990 (the “ADA”) requires an employer to provide reasonable accommodation to qualified individuals with disabilities who are employees or applicants for employment, unless to do so would cause undue hardship.”
Employers are responsible for three categories of “reasonable accommodation.” The first covers “modifications or adjustments to a job application process that enable a qualified applicant with a disability to be considered for the position such qualified applicant desires.”
If you’re purchasing an applicant tracking system (ATS) with a job portal, understanding whether your vendor can support this accommodation is critical.
For example, you would need to know how the ATS integrates with systems that assist hearing- or vision-impaired applicants.
Assessing vendor security
Assessing data security is another major concern to consider during vendor due diligence. As illustrated by the Target data breach covered above. Due to this risk, companies considering investing in financial software or services, in particular, must do their homework before making a purchase.
In an article on Reuters, Abel Clark, chief executive officer of TruSight and former Thomas Reuters executive, noted that the financial services industry has seen increased innovation in recent years. This has led to more companies partnering with third-party vendors, which opens them up to greater risk.
And like with compliance, responsibility for a vendor’s security failure will ultimately fall to the client.
To mitigate these risks, the Office of the Comptroller of the Currency (OCC), a division of the U.S. Department of the Treasury, offers guidance for “national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships.”
They state that an effective vendor risk management program should include:
Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses and oversees the third party
Proper due diligence in selecting a third party
Written contracts that outline the rights and responsibilities of all parties
Ongoing monitoring of the third party’s activities and performance
Contingency plans for terminating the relationship in an effective manner
Clear roles and responsibilities for overseeing and managing the relationship and risk management process
Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management
Independent reviews that confirm the bank’s process effectively manages risks
Of course, banks aren’t the only organizations that need to mitigate risk through vendor due diligence.
“256-bit encryption refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers.
“Typically, 256-bit encryption is used for data in transit, or data traveling over a network or Internet connection. However, it is also implemented for sensitive and important data such as financial, military or government-owned data. The U.S. government requires that all sensitive and important data be encrypted using 192- or 256-bit encryption methods.”
Understanding data center tiers
Most data storage centers are classified as Tier 1, Tier 2, Tier 3, or Tier 4.
“A Tier 4 data center is the most expensive to build, run, and maintain, but it provides the highest level of protection for a company’s data. For larger companies, Tier 4 is often a requirement to keep them in business.”
With Tier 4 data centers, your organization should experience no downtime. Study.com notes, however, that not all organizations need a Tier 4 data center.
“Not all organizations can afford, or need, to make the huge investment required for a Tier 4 data center. Companies that do need Tier 4 have multi-million dollar revenues, earn the majority of their revenue from e-commerce, have a business model built solely for IT, or are those for which any downtime would be fatal.”
It’s up to you to understand your organization’s needs, as well as your vendor’s capabilities.
Assessing potential user risks
Your vendor due diligence should also consider how your vendor can help protect against internal risk.
“Human error is a major factor in breaches, and trusted but unwitting insiders are to blame. From misaddressed emails to stolen devices to confidential data sent to insecure home systems, mistakes can be very costly.”
For example, many electronic health records (EHR) systems now offer mobile capabilities. This allows doctors and nurses to document patient information from their phone or tablet. Indeed, while this technology often increases adoption of the EHR and allows medical professionals to hold more engaging conversations with patients while updating records in real time, it opens organizations to risk.
If a doctor or nurse loses their phone or tablet, it could easily fall into the wrong hands. Consequently, an unauthorized person could then gain access to patient records, violating their rights under HIPAA.
With the right capabilities, however, vendors can help mitigate or even prevent this problem. Multi-layered user authentication can prevent unauthorized records access, for instance. In addition, the EHR vendor might even provide a way to remotely deleting patient information from a device.
When evaluating software, make sure to identify areas where users can unintentionally open your organization to risk and determine whether your vendor can help close these security gaps.
Vendor due diligence checklist
Between compliance, security and protecting against potential user risks, completing vendor due diligence can certainly seem a bit overwhelming.
To help simplify the process, we put together this 16-point vendor due diligence checklist. Use it as a starting point to evaluate potential risk.
Does the vendor offer flexible user permissions?
Do you have the ability to wipe information off stolen mobile devices?
Is multi-level user authentication required?
Will the vendor provide training for your staff?
Does the vendor provide training for their own staff?
Will you receive alerts about suspicious activity?
Does the contract adequately detail ownership and responsibilities?
Is data stored in multiple, redundant servers?
Are the data centers adequately tiered?
Does the vendor offer 192- or 256-bit encryption?
Do they offer version tracking?
Will you have access to downtime tracking and updates?
Is there adequate database auditing?
Does the vendor have a documented security strategy?
Are documented contingency plans in place?
Do independent agencies conduct security reviews?
Use DDQs to simplify the process
One of the simplest ways to engage in vendor due diligence is with a due diligence questionnaire (DDQ). However, DDQs must be very thorough to properly assess and mitigate vendor risk.
Check out our list of the 7 of the best DDQ examples. There you can see how organizations are using DDQs to uncover hidden risks and financial pitfalls — before making a purchase.