Vendor Due Diligence
In the process of choosing a Vendor/Third-party to handle sensitive client data, as part of due care and due diligence, organizations need to perform Vendor Security Questionnaires.
Organizations are responsible for performing due diligence before choosing an organization, and liability cannot be outsourced only because you are outsourcing a service or using a vendor. If the vendor suffers a data breach, it is critical that the organization can demonstrate it performed vendor due diligence.
- What type of data will the Vendor handle?
- How will they protect that data?
- Do they have any documentation regarding their Information Security Program?
These are some sample questions that you should be asking. We can help your organization review the vendors by:
- Asking a comprehensive set of questions as part of a "Basic Vendor Security Questionnaire"
- Reviewing any available security reports, including but not limited to:
- SOC 2 (Type 1, 2, or 3)
- ISO 27001
- HITRUST
- Requesting more information in the form of:
- Reviewing Vendor supplied documentation, including but not limited to:
- Full Security reports
- Incident Response Policy
- Acceptable Use Policies
- HIPAA Business Associate Agreements
- Etc.
- Providing your organization with a summary of our findings and recommendations.
DISCLAIMER: we can perform vendor due diligence to the degree the organization feels comfortable performing its due diligence for existing vendors and potential vendors. It is critical to always perform due diligence on a vendor/third party prior to storing sensitive data or giving them access to your network/systems. Vendor risk assessments are performed using the information and documentation provided by the vendor, however, we cannot represent nor can predict if the Vendor will have a cybersecurity incident or a data breach.
Please let us know how we can help, take advantage of our initial FREE 30-minute Consultation. Contact us to get started.