ZenGRC

Simply Powerful GRC

Third-Party Management

Vendor Offboarding Checklist for Compliance

· ·

Every vendor relationship your company strikes allow your business to save money and exploit new opportunities more efficiently. What’s more, every vendor relationship can develop into more ways for you and your supplier to increase value and grow the business.

That said, every vendor relationship should also follow a natural lifecycle— one that begins with initial review and onboarding, and ends with the termination of the supplier’s contract and offboarding.

Procedures for onboarding new third parties are a key part of your third-party risk management program, and hence they are discussed constantly.

Equally important, however, is offboarding. If done poorly, it can leave your company exposed to data breaches, compliance failures, unnecessary costs, loss of valuable equipment, and potential litigation.

That’s why it’s important to have processes in place to identify when and how to end your relationships with third-party vendors and to ensure you complete the procedures associated with terminating those relationships in the right way. (Ideally, you should automate these processes across your company.)

What is Vendor Offboarding?

Third-party vendor offboarding is the process of removing a vendor from your administrative and finance records when you end a contract or a relationship with that vendor. Only conduct vendor offboarding, however, after the vendor has fulfilled all its essential contractual and residual obligations, such as after-sales support and warranties.

You can eliminate potential risks to your company by making certain that you handle offboarding appropriately. This includes ensuring that the vendor can no longer access your physical property or IT systems and that the supplier destroys all your data in its possession. You should also notify your finance department to stop payments to the vendor.

Too often, companies give more attention to the structure and formality at the front end of their third-party management processes: sourcing and procurement, due diligence, risk management, contracting, and so forth. They don’t pay enough attention to the need for carefully considered offboarding procedures.

Vendor Offboarding Checklist for Compliance

Here is a vendor offboarding checklist for compliance to help you when you’re ending a relationship with one of your third-party vendors:

Access to Data and Systems

Organizations give different suppliers different levels of access to systems, (including VPNs, telecommunication systems, and internal applications) for the lengths of their contracts so those vendors can deliver the services they were hired to provide.

 
Keep a detailed inventory of all the data and systems your suppliers can access, as well as which of their employees have access to those systems and information. You should reference this inventory during the offboarding process to guarantee that you terminate the supplier’s access to your company’s information and systems.

Physical Access to Facilities

Vendors may also need access to your buildings and offices. So also critical to keep a log of the suppliers’ employees who have access to your premises, as well as how they have access: keys to the building, entry codes, key cards, and so forth.

When a vendor’s contract ends and its employees no longer need access to your facilities, ensure that the vendor returns any physical keys, badges, key cards, and the like. You must also notify appropriate employees within your company (receptionists and security personnel, for example) that the vendor no longer has permission to access your facilities. Update any electronic access codes or other internal building access systems as well.

Return of Equipment

If a vendor has borrowed your equipment to perform its contractual obligations, have a process in place to ensure that all your property is accounted for and returned. For example, you can use software to document, tag, and identify any equipment that you issued. Then check whether the vendor returns that equipment at the end of the vendor’s contract. You should also document the condition of the equipment when the vendor returns it.

The inventory you generate should also include what data, information, and intellectual property were provided to the vendor. Work with that vendor to ensure that it returns what it’s able to return, and deleted or destroyed what it can’t.

That said, not all data can be destroyed; it may reside on backup tapes, and some regulations mandate that data is preserved for a period of time. In that case, get assurances from your supplier that it will safeguard your information until those files can be destroyed. 

Review the Contract

The journey from the beginning of a vendor contract to its end is often different than the terms outlined in the original agreement. The scope of an engagement can change over time; unplanned delays arise. Things happen.

 
Throughout the tenure of the contract, then, document any changes in the contract — specifically those that affect the contract deliverables. Then, during the offboarding process, check that the vendor did indeed deliver all the goods or services it was contracted to provide.

And as your vendor relationship changes over time (for example, if you have to expand the supplier’s services) remember to update the scope, controls, and termination provisions throughout the relationship. You don’t want to look for these necessary items during the offboarding process and realize that they’re missing.

Ongoing Security 

It’s critical that you and your vendor review any security policies (including privacy policies) that are related to the contract. You must remind the vendor of provisions and requirements that continue even after your relationship has ended, such as confidentiality and privacy. Get formal acknowledgment from your vendor that it will continue to adhere to the provisions of the contract that continue even after the contract or relationship has concluded.

Final Payments

Pay all your vendor invoices, and ensure that any outstanding debts or refunds owed to you are paid as well. 

Update the Vendor Profile

When a relationship with a vendor ends, the vendor’s profile should be updated accordingly. Check the accuracy of the vendor’s legal name, the names of your primary points of contact, what active contracts you may still have with the vendor, and so forth. This will help you keep an accurate inventory of your third-party supplier relationships.

Vendor Lifecycle Management

Each vendor in your company’s supply chain has a lifecycle that starts with the initial review and onboarding and ends with the termination of the vendor’s contract. Vendor lifecycle management allows you to acknowledge the importance of your vendors and incorporate them into your procurement strategies. Vendor offboarding is the final part of the vendor lifecycle management. 
The vendor management lifecycle generally consists of:

  • Vendor identification: shortlisting potential suppliers. This includes cross-checking whether the shortlisted vendors and the offers they submit match your required specifications.
  • Vendor selection: ensuring whether a specific supplier can deliver the necessary goods or services. 
  • Vendor segmentation: classifying each shortlisted vendor according to specific metrics, including lifecycle cost, availability, quality of goods or services, and support.
  • Vendor onboarding: gathering all the data and documents necessary to add a vendor to your approved list of vendors. This can include due diligence checks on prior litigation, poor customer reviews, audits of security controls, and the like. 
  • Vendor performance management: measuring and analyzing how a vendor performs throughout the contract to identify weaknesses and reduce vendor risks.
  • Vendor information management: collecting data from every step in a vendor lifecycle right from onboarding through offboarding.
  • Vendor risk management and assessment: identifying, analyzing, and mitigating supplier risks.
  • Vendor relationship management: identifying your most important vendors and cultivating long-term relationships with them.
  • Vendor offboarding: removing a vendor from your finance and administrative records when you end a vendor contract or relationship.

To remain competitive and get more out of your vendor relationships, you must adopt new technologies to streamline your vendor lifecycle management processes — including offboarding. Automated vendor lifecycle management helps companies operate more efficiently. It can build better vendor relationships by improving engagement and transparency, and by reducing risks.
Again, offboarding is one of the most neglected parts of vendor lifecycle management. Don’t approach the end of a supplier relationship in such a haphazard way; rather define the offboarding process during the onboarding process, so that the end of the relationship can happen smoothly and precisely.

What is a Third Party Under CCPA?

· ·

The California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, took a different approach to how it defines a third party. The privacy law doesn’t indicate what a third party is but rather explains what it is not. 

What Third Parties Are Not

Under the privacy law, third parties are people or organizations that are not the following:

  1. The business that collects consumers’ personal information from consumers under the CCPA.
  2. A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract that lays out certain, very specific stipulations.

Under the second option, the contract that governs the third party’s use of a consumer’s personal information must prohibit that third party from:

  • Selling the consumer’s personal information.
  • Retaining, using, or disclosing the consumer’s personal information for anything other than performing the services specified in the contract. These vendors are typically called “service providers.”
  • Retaining, using, or disclosing the consumer’s personal information outside of the direct business relationship between the individual and the business.

In addition, the third party that receives the consumer’s personal information under the CCPA is required to certify that it understands the requirements of the privacy law and will comply with the requirements of the privacy law.

The Goal of the CCPA

The privacy law aims to improve the data privacy and protection rights for California residents by imposing rules on how businesses handle and use consumers’ personal information.

The CCPA, the most extensive consumer privacy law to pass in the United States, has been compared to the European Union’s General Data Protection Regulation (GDPR), other data privacy laws, and data privacy regulations.

However, when it comes to CCPA vs. GDPR, the GDPR focuses on creating a “privacy by default” legal framework for the entire European Union, while the CCPA is about creating transparency by giving California residents certain rights pertaining to their personal data.

The privacy law requires companies to tell California residents what personal data they are collecting. Under the CCPA, California residents have the right to tell businesses not to sell their personal information and request that those companies delete their personal information.

How the CCPA Defines a ‘Business’

Under the California privacy law, a “business” is defined as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Under the CCPA, the business must also collect the personal data of California residents, operate in California, and meet at least one of the following criteria:

  • Has annual gross revenues of at least $25 million
  • Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of at least 50,000 California residents or households
  • Earns more than 50 percent of its annual revenue from selling consumers’ personal information

The privacy law requires that businesses that collect consumers’ personal information tell consumers, at the time they collect the personal data of California residents or before they collect that personal data, about the categories of personal information that they will be collecting. Under the privacy law, the organization must also tell California residents how it will use the categories of personal information it collects. 

How the CCPA Defines a Sale

The California Consumer Privacy Act defines “sale” very broadly. Sale basically includes any method of transferring consumers’ personal information. However, under the privacy law, such transfers have to be made in exchange for money or other “valuable consideration.” 

Although the CCPA doesn’t define valuable consideration, the privacy law does allow the California attorney general to provide guidelines to further the CCPA’s purpose. And that could mean offering a more specific definition of valuable consideration. However, until that happens, there is nothing definite as to what would constitute valuable consideration under the privacy law.

The California Consumer Privacy Act also limits the ability of third parties to resell consumers’ personal information that they obtain from businesses as defined under the privacy law. 

The California Consumer Privacy Act requires that third parties give consumers explicit notice of the sale of their personal information and provide them with the ability to opt-out of the sale of their personal data.

When third parties receive verified consumer requests for access to their personal data, they must give those California residents the following information: 

  • The categories and specific pieces of personal information the business has collected about the California residents.
  • The categories of personal information the business sold about the California residents.
  • The categories of third parties to whom they sold consumers’ personal information (identified by the category of personal information for each third party)
  • The categories of personal information that the businesses disclosed about the consumers for business purposes.

Under the CCPA, Service Providers Treated Differently than Third Parties

It’s also important to note that third parties are defined and treated differently than service providers, which the California Consumer Privacy Act defines as entities that only “process” information on behalf of businesses and to which those businesses disclose consumers’ personal information for a business purpose specified in their written contracts (as noted above).

This means that businesses and their service providers that use data as specified in their contracts aren’t necessarily considered third parties under the California Consumer Privacy Act. 

However, how a business defines its vendors matters because under the privacy law, the business has to disclose to California residents the information about their personal data as noted above as it pertains to third parties. But a business is not required to disclose this information to California residents as it pertains to service providers. 

On the other hand, a business must require that its service providers delete consumers; personal information when those California residents request it. But those businesses don’t have that same requirement when it comes to third parties.

Under the California Consumer Privacy Act, if organizations don’t have the proper contracts in place with their service providers, those service providers may be treated as third parties under the privacy law. 

If businesses don’t want their service providers to become third parties under the privacy law, those contracts must contain a certification that the party receiving the personal data of California residents understands the requirements of the CCPA and will comply with them. 

Not including that certification means that the personal data of California residents that businesses share with service providers would be treated as sales, requiring those businesses to allow California residents to opt-out of having their personal data shared with those third parties.

How Effective Vendor Risk Management Can Drive Your Business Forward

· ·

Whether you’re adding a point-of-sales system or incorporating cloud service providers into your business operations, you’re continually adding new vendors to your data ecosystem. Cisco’s Global Cloud Index Forecast suggests that by 2021, 95% of all data center traffic will come from the cloud, 85.1 million cloud Infrastructure-as-a-Service workloads will exist, 402.2 million cloud SaaS workloads will exist, and 46.4 million cloud Platform-as-a-Service (PaaS) workloads will exist. In other words, vendor risk management (VRM) will drive cybersecurity and business success.

Effective Vendor Risk Management

How do I analyze potential third-party risks?

The first word everyone thinks of when third-party vendor due diligence pops up in conversation is “risk assessment.” However, an assessment of risk no longer qualifies as appropriate due diligence.

A risk assessment means you look at your critical infrastructures and list risks. However, assessing the existence of a risk is fundamentally different than analyzing the risk’s potential negative impact.

Analyzing risk requires you to look at the types of information the third-party vendor handles and then review the potential financial, reputational, and legal impact of a data breach.

For example, if your vendor is going to access personally identifiable information or protected health information, then a data breach would impact you substantially. If the vendor only accesses publicly available information, a data breach would have far less of an impact.

Are there regulatory compliance risk management requirements?

Regulations increasingly focus on vendor risk management, imposing fines or penalties arising out of vendor data breaches. For example, the 2017 New York Department of Financial Services regulation 23 NYCRR 500, devotes an entire section to third-party service providers’ security. The General Data Protection Regulation (GDPR) refers to data processors, which means vendors.

Both of these, as well as many other regulations, levy fines and penalties over companies who do not maintain adequate vendor management processes.

Can I effectively manage third-party risk?

As you increase the number of vendors who enable business performance, it’s normal to wonder whether you can create an effective risk management program.

While companies don’t add vendors without thinking about the risks, not all vendor risks are apparent. For example, your vendors use third-party IT suppliers as well. You may be able to assess the risk of your own contracted business partners, but tracking their vendors may be impossible. When looking holistically at your supply chain, the information security risks increase exponentially, almost to the point of impossibility.

Thus, the tracking and oversight taxes physical and personnel resources. While you may be able to manage some risks effectively, you may find that your risk management needs outpace your current system.

5 Steps in the Vendor Management Lifecycle

Assess Risk

Assessing risk is the first step to almost any compliance objective. While it sounds simple, it is often complicated. You may have all your systems, networks, and devices cataloged, but you may not know all the vendors who connect to them.

If you’re using a cloud service provider, you’re likely connecting your systems and networks to it. Any applications that connect your systems and networks to the cloud so they can share data need to have the appropriate controls.

The difficulty in assessing risk lies in peeling back the onion skin of vendors and associated applications.

Incorporate Security into Contracts

If you determine that a vendor’s security stance aligns to your own, you need to include cybersecurity within the Service Level Agreement (SLA).

Contracts act as a binding agreement between businesses and can also help you define liability. Under most regulatory requirements, you are legally required to cover the costs of any data breach that impacts your customers. Therefore, you need to make sure that your vendor understands their liability if they cause the data breach.

Moreover, SLAs should also document when a vendor’s cybersecurity stance is a cause for contract termination. Malicious actors continually evolve their attack methods. Therefore, if a vendor regularly ignores security alerts, you may be at risk. Defining cybersecurity activities that lead to contract termination can help you secure your data.

Monitor Continuously

Cybersecurity professionals believe that you should always “trust but verify.” You can incorporate vendor responsibilities into your contract and approve vendor policies and controls. However, companies don’t always adhere to their internal control decisions.

You retain the burden of monitoring not only your data environment but that of your vendors. Their risk is your risk. Therefore, if you see something wrong with your vendors, you need to say something. If they don’t remediate the problem, you need your backup plan.

Plan an Incident Response

Vendors often enable critical business processes. Whether it’s a payment system vendor or a database SaaS platform, a vendor cybersecurity incident can lead to business disruption.

Part of effectively managing third-party risk lies in ensuring that you have an incident response program that can help you rapidly return to regular business operations.

Another part of your incident response plan should be customer notification. Even though the breach isn’t your fault, you still need to tell your customers it occurred.

Communicate Internally

Whether you’re aligning to regulations or industry standards, you need to effectively communicate risk with senior management and your Board of Directors.

The “governance” in “risk, compliance, and governance” focuses on oversight. Your senior management team and Board can’t effectively oversee your vendor risk management program if you don’t tell them the risks and ways you chose to mitigate them.

ZenGRC Enables Vendor Risk Management

Vendor risk management drives business success. Your customers need to know they can trust you, but they also need to know that you can document and verify their trust.

With ZenGRC, you can create workflows that help manage vendor risk tracking and reporting. ZenGRC’s workflow tagging and task prioritization capabilities make tracking requests and managing responses more efficient.

Vendor risk management requires paperwork. With ZenGRC provides a centralized dashboard, you can view KPIs that offer you a single source of information over your vendor risk management program’s effectiveness.

For more information on how vendor risk management can increase business success, download “Driving Your Business Forward Through Effective Vendor Risk Management.”

How to Manage Technological Risks?

· ·

In all sectors, technology has become a vital aspect of operations and has transformed the workplace, but that dependence on technologies also poses a threat to organizational wellbeing. Data breaches, system failures, malicious attacks–as well as natural disasters that impact technologies–can wreak havoc on company reputations, regulatory compliance and fiscal health.

In some cases, the damage from these events is irreversible or long-term. A proactive strategy to mitigate tech risks are foundational aspects of operations. Your company needs such a plan that prevents, responds and continuously monitors for these risks.

Monitoring and Managing Risks in Technology

The adage, “An ounce of prevention is worth a pound of cure,” is entirely applicable to monitoring and managing tech risks.

A whole-organization system is necessary that ensures assessing and monitoring data from end to end user.

The first step in creating such a system is to identify risks and harmful situations that can occur. For IT risk assessments, that begins with evaluating valuable systems, sensitive data and company operations. Consider the organizational information that might be valuable to hackers.

Systems and operations that store, maintain, use and process this data should be scrutinized for vulnerabilities. Beyond your own systems, who holds this data?

Consider vendors and other third-party entities, as well as employee cell phones and computers. Explore shared information and possible outcomes of data exposure. What safeguards are in place to protect the organization? Do you have a program for Vendor Risk Management (VRM)?

Pertaining to monitoring, it’s not enough to set procedures in place and walk away, trusting this is forever adequate. In effect, you need to continuously monitor your monitoring system.

Risks change over time– some increasing and others decreasing. Does your monitoring system follow and adapt to these trends in risk? Evolving and new risks can be discovered by examining industry trends, software vulnerabilities, and corporate and vendor operations.

What triggers mitigation and response to tech risk at your organization? One definition of trigger is, “a single predefined event or change in status, which indicates that an actual or potential risk has occurred or is about to occur.” In management of technological risk, those triggers need to be determined when conducting risk assessments.

Leaked passwords, suspicious emails, stolen or lost devices and potentially exposed data are examples of triggers.

In management of tech threats and risks, it would be wise to thoroughly scrutinize vulnerability due to internal threats, according to security expert, Marc van Zadelhoff.

In his Harvard Business Review article, Zadelhoff, cites IBM findings from the 2016 Cyber Security Intelligence Index, which determined that more than half of all attacks were the result of insiders, with roughly seventy-five percent of those malicious intent and the others due to human error and/or unintentional.

What monitoring systems are in place for insider threats? What are the triggers that your organization has developed for suspicious or potentially malevolent internal activities? How do you monitor the viability of your back-up data and systems?

And as with other aspects of your program, triggers must be continuously monitored. If the risk changes, or a new risk evolves, it is likely the triggers that determine response and mitigation need to change as well. And of course, thresholds should be established for varying procedures when a risk escalates.

Plan for Worst Case Scenarios

In addition, it’s vital to have a business continuity plan (BCP) that includes protocol for handling IT disruptions and reestablishing services so primary organizational objectives can be met. Even unplanned downtime due to a simple power outage can hurt your revenue streams in a big way.

Some statistics cite the average cost per minute of downtime at a staggering $5,600, or well over $300,000 per hour. For unplanned outages impacting call centers, a recent study estimates the cost per minute is $7,900, or forty-one percent higher than previous findings.

Ouch. Those are painful numbers to contemplate.

And further, in the event of a tech disaster– such as if a cyberattack and a breach of Personally Identifiable Information (PII) occurs— the speed, transparency and efficiency of your company response are critical to the business reputation.

Worst case scenarios should be planned for in table-top exercises, up to and including press releases, and regulatory and customer notifications. What would happen if PII was held for ransom or corporate data was destroyed?

In an era that (rightly) demands transparency of corporations, hiding organizational transgressions is not favorable in the eyes of the public and can have long term impacts that haunt your company’s name long after a breach. Probing this area and planning for crisis response are critical in today’s ever-evolving world of data security.

What is the Vendor Security Alliance Questionnaire?

· ·

The Vendor Security Alliance (VSA), a coalition of companies committed to improving Internet security, created the Vendor Security Alliance questionnaire to measure potential cybersecurity risks and evaluate potential vendors with a streamlined list of questions. Today, the VSA is a coalition of technology-enabled companies that are focused on decreasing vendor cybersecurity risk.

The VSA offers two free questionnaires that it updates annually to reflect changes in the cybersecurity threat landscape as well as changes in technology:

  • VSA-Full: The classic VSA questionnaire focuses intensely on vendor cybersecurity. The VSA-Full cybersecurity questionnaire assesses a vendor’s data protection, access controls, cybersecurity policies, and cybersecurity standards. In addition to focusing on vendor cybersecurity, this VSA cybersecurity questionnaire provides an in-depth cybersecurity vendor assessment.
  • VSA-Core: This cybersecurity questionnaire consists of the most critical questions regarding vendor cybersecurity and privacy. The privacy section covers the requirements of the U.S. privacy data breach notification regulation as well as the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR). Organizations that have to deal with vendor cybersecurity and also have to comply with the U.S. privacy data breach notification, the CCPA, GDPR , and other data protection laws should consider using this cybersecurity questionnaire.

The VSA released the VSA-Core cybersecurity questionnaire in October 2019, in part to better align the balance between cybersecurity and privacy. The VSA created this streamlined cybersecurity questionnaire to reduce the number of cybersecurity questions organizations needed to assess vendors’ operational cybersecurity controls. The VSA-Core cybersecurity questionnaire also provides key questions to assess whether the vendors can protect data.

The new privacy and cybersecurity laws along with increasingly sophisticated hacking tools mean it’s critical that companies assess the cybersecurity and privacy protections of all their partners and third-party vendors.

The average cost of just one data breach is approximately $3.92 million, according to the 2019 Cost of a Data Breach Report. That’s why organizations have to focus on cybersecurity and preventing data breaches.

Organizations can use the VSA’s cybersecurity questionnaires for vetting vendors and ensuring the appropriate cybersecurity controls are in place to improve cybersecurity.

The VSA lets members use its network of third-party auditors to conduct risk-based cybersecurity assessments of their vendors. This allows companies to assess more vendors faster and less expensively than in the past. Although the VSA questionnaires were created for VSA members, non-members are also able to use the VSA questionnaires.

The VSA coalition of companies was formed to enable companies to streamline vendor cybersecurity processes and create a standardized cybersecurity compliance benchmark across industries. One of VSA’s main focuses is to create a proprietary process for screening potential vendors’ cybersecurity risks so they can reduce cybersecurity threats and mitigate those cybersecurity risks.

As such, the VSA questionnaires are easy to complete, straightforward, and clear about the input that’s required from both the vendor and the brand. Many organizations also use the VSA questionnaires as baselines when they initially establish their cybersecurity teams and/or data protection policies.

Vendor cybersecurity assessment questionnaires, including the VSA cybersecurity questionnaires, are one piece of vendor risk management. The VSA cybersecurity questionnaires and other such cybersecurity questionnaires help organizations verify that their service providers are following the appropriate information security practices and are also able to assist with incident response planning and disaster recovery.

Vendor risk assessment questionnaires, such as the VSA risk assessment questionnaires, help companies understand that no matter their industry, data protection is critical and cybersecurity questionnaires are the foundation of any third-party vendor risk management program. Many companies are also investing in third-party risk management automation so they’re better able to mitigate vendor cybersecurity risk.

Even if a company employs tight cybersecurity controls and a top-notch information security policy, vendor risk management must be the focus of its information security program. And this means the organization has to manage cybersecurity risk from onboarding through offboarding its vendors.

It’s difficult for a company to get a clear understanding of a vendor’s internal network cybersecurity, data security, and information security without asking the vendor for additional information.

A company can use the VSA cybersecurity questionnaires or other industry-standard cybersecurity questionnaires as starting points for building a robust vendor risk management program, and then adapt its vendor risk management program based on the needs of the organization.

The VSA makes its vendor cybersecurity questionnaires available to the public at no cost, allowing organizations to discover early on the vendors with weak cybersecurity practices. The VSA cybersecurity questionnaires streamline vendor cybersecurity compliance and enable cybersecurity teams to thoroughly assess their third-party vendors’ cybersecurity postures.