Vendor Risk Management – The New “Headache” For Data Outsourcers?

April 5, 2011 - PRLog -- John Verry of Pivot Point Security (an information security audit firm based in New Jersey) spoke before an audience of experienced senior Information Security professionals from a variety of markets at the CISO Executive Network's Philadelphia and New York City chapter events on VRM Security Guide (http://www.pivotpointsecurity.com/third-party-vendor-risk-management-presentation-pr) ]Third Party Vendor Risk Management. “It’s a complicated problem,” Verry said. “but we think that there are ways to simplify it like leveraging open, trusted standards... In this case, it’s critical that we find a simple way to prove the security posture of their outsourced vendors.”

Verry began his thought-provoking and challenging presentation with two very important questions regarding Third Party Vendor Risk Management.

- How do you tell what you need to tell?
- How do you know what you need to know?

As he pointed out in the presentation, outsourcing provides notable rewards but it doesn’t come without risk. While outsourcing may reduce costs and offer flexibility, the risk of failing to comply with laws and/or regulations becomes a factor. If a company is outsourcing their development, hosting, and credit card processing, how do they know those third parties are secure? How do they know those third parties are compliant? And what attestation should be required from those vendors? These questions have to be addressed in the face of increased pressure from regulators/auditors to ensure that key vendors are secure and compliant.

If the third party has a data breach, which company will feel the impact? “Responsibility isn’t always obvious” said Verry, “but ultimately the responsibility lies with the company who outsources the data, as well as the outsourced vendors.”

Companies that outsource services to a third party vendor must identify potential risk. Once the risks are understood, they must verify that those business partners are compliant, be on the lookout for new risks, manage any incidents and remediate the risks.

Verry offered key questions to ask when managing third party vendor risk:

- What form of testing is suitable for the risks defined?
- What form of assurance/attestation is best?
- What direct access/testing is required for incident response/monitoring?
- What reporting and service level agreements do we need to monitor?

He continued to explain the various forms of information security attestation, ranking them on level of assurance, time and cost, from low-end, yet effective, vulnerability assessments to higher forms like ISO 27001 Certification. “There are lots of options,” Verry said; “But it can be extremely confusing. That’s why we created the VRM Security Guide – to simplify the process of sorting through the various forms of attestation that a company might require from a third party vendor.”

Pivot Point Security is pleased to share the Vendor Risk Management presentation, along with the VRM Security Guide. Please visit http://www.pivotpointsecurity.com/third-party-vendor-risk... to view the presentation and download the guide.

# # #

Continually evolving technology, business requirements, regulations, and threats make "being secure" and "proving you're compliant" increasingly complex. The only logical response: Simplify. Pivot Point Security makes it easier to prove that you are secure and compliant. Pivot Point Security knows how important compliance is – and understands third party vendor risk. For more information visit http://www.pivotpointsecurity.com