Managing IT Vendor RiskAre your contracting practices keeping up? By: Brian Garcia
The proliferation of both cloud computing and cyberattacks has changed the threat and risk landscape for information technology (IT) practitioners, organizations and information technology service providers. Organizations are advised to review and update their vendor management governance processes in light of these technological changes and their resulting impact upon the outsourcing of critical infrastructure in order to address these challenges contractually before they sign or renew a contract.
Cybersecurity has become a Business Critical Issue
The number of organizations contracting with third party service providers has continued to expand in recent years beyond core infrastructure and application outsourcing. Service providers have responded to changes in the marketplace resulting from ever tighter IT budgets and the evolution of virtualized computing environments by offering flexible and rapidly scalable options such as: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), which can leverage the benefits of virtualization and cloud computing without the traditional costs of building and staffing more data centers.
This growth in the IT services industry is expected to continue to grow as (71%) of the respondents to a 2016 study conducted by Bomgar are expecting their companies to become more reliant on third parties in the next two years. Unfortunately, at the same time, 69% of the respondents to this same study say they definitely or possibly suffered a security breach resulting from vendor access within the last year. With the amount of vendor access to client information systems continuing to increase, it is important to understand whether vendors are applying adequate security controls to protect sensitive data that they are processing and or storing.
This requires organizations to apply the proper amount of due diligence to ensure that this data remains protected in compliance with the applicable legal or regulatory requirements regardless of where it is processed or stored. Cost and functionality can no longer be the sole criteria for evaluating a vendor’s suitability. Information security risk must now also be a key consideration in the evaluation and contracting processes.
Don't Wait – Take a Proactive Approach to Managing Security Risk
In the event the worst happens and there is a data breach, is the service provider solely to blame for poor security and the compromise? No, the client is also responsible and ultimately accountable for protecting that information from loss or alteration. In addition to understanding what security controls have been put in place by the service provider, organizations should review their contracts to ensure that adequate safeguards are in place to define the roles and responsibilities for security incident response, remediation, loss of revenue, litigation costs and fines, access to data limitations, confidentiality and security requirements, and data destruction.
Contracts that do not adequately address these issues leave the client organization exposed to legal liability, fines and in select cases, potential criminal prosecution.
Contracts that do not include and require that security and data breach requirements be met by the service provider are assuming that the vendor's precautions are adequate, when in fact they may not be. Organizations don’t consciously want to wait until a cyberattack occurs to review and test the terms of the contract, but are doing so if they are not actively managing cyber risks in their vendor contracts. Too often, organizations have relied solely on the service provider to supply the necessary security protections and haven’t conducted risk assessments to determine what security gaps may exist within the vendors' security program and how those capabilities and gaps impact their own security and compliance obligations.
Taking a proactive approach to contracting should be encouraged. All IT service provider contracts should be reviewed to ensure that the proper protection and processes are in place, as is enforceability of terms and the ability to verify the adequacy and compliance of contract requirements. Traditional outsourcing contracts for facilities and personnel are typically multi-year agreements with terms that are often static over the life of the contract. Contract terms for public cloud-based services have tended to be subject to changing terms and conditions initiated by the provider.
Do You Have the Right People?
Having a contracting staff that is knowledgeable and skilled in the area of IT is essential to effectively managing through these transformational shifts in technology and business models.The IT security team should be involved at the beginning of the vendor selection process to identify the specific security risks and capabilities of each prospective vendor. The IT team can determine if the vendor has implemented a secure environment, has retained knowledgeable, well trained security personnel, and has the internal information security governance in place required to reduce the risk of data breaches and other security incidents.
 2016 Bomgar Vulnerability Study, https://www.bomgar.com/assets/documents/Bomgar-Vendor-Vulnerability-Index-2016.pdf