SOURCE: LockPath, Inc.


March 30, 2015 17:00 ET

How to Avoid the Vendor Blind Spot

OVERLAND PARK, KS--(Marketwired - March 30, 2015) - Some of last year's largest security breaches have brought vendor management and security into the spotlight. Target's breach was caused by an HVAC vendor's access to critical customer data. Home Depot's vendor portal breach allowed hackers access to POS terminals and customer information.

These examples are becoming more of the norm; a recent SearchSecurity report claims that the majority of modern security breaches happen as a result of third-party involvement.

Since being given additional guidance in 2013 by the Office of the Comptroller of Currency, many banks and financial institutions still do not know how to deal with the full scope of vendor risk. Linda Tuck Chapman, chief procurement officer for BMO Financial Group, sees a shift from individual business units handling unique supplier risks to a more centralized model encompassing all third-party risk. "Where we have a centralized operational and risk management framework…for suppliers of the bank, we need to equally build one around all third parties of interest to the bank," she said in a recent Wall Street Journal Risk & Compliance Journal interview.

The OCC's officially recommended process has five phases and three additional activities that should take place over what's called the risk management lifecycle. The OCC wants banks and financial institutions to start asking the right questions both before and after vendor agreements are signed.

Protecting your organization from the possibility of significant revenue loss starts in the negotiation process. When drawing up vendor agreements with business associates, be sure to include language addressing specific security stipulations around information privacy, threat and risk analysis, compliance and audit requirements and enforcement methods. Important questions to ask should include some of the following:

  • How does your organization define a security breach?
  • What is the difference between a security incident and a breach?
  • When and how does your organization go about reporting breaches? To whom do those reports go to?
  • Have you had any security incidents in the past year affecting critical infrastructure or client information?
  • Does your organization distinguish between a policy breach and a security breach?
  • Can you provide a list of critical vulnerabilities to your business and detailed information surrounding remediation or planned remediation of those vulnerabilities?

While setting this precedent and assessing your vendors regularly will not completely absolve your company's liability in a breach, it will go a long way toward minimizing the financial, continuity and human impacts on your bottom line. After all, if you were doing everything you were supposed to, why take all of the blame when something goes wrong?

About LockPath

LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available: