vendor-management-10-30-15.pngWhat’s one of the scariest things that keeps a bank CEO up at night? Two words: data breach.

The Federal Financial Institutions Examinations Council document on board and senior management responsibilities says:

“The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.”

Target corporation had 40 million credit card numbers exposed and eventually settled with Visa for $67 million. In 2014, we saw bigger companies in the headlines such as Home Depot and Sony fall victim to the same fate.

Target’s breach came through an HVAC vendor that had access to the retailer’s internal network. That means the bad guys only had to figure out how to sneak by the HVAC company’s security, not Target’s. This was a perfect example of how more robust vendor management practices could have prevented unauthorized access.

Think about all the people who need access to your building, systems, network, hardware, telephone lines, lighting, security, and so forth. How diligent are those other businesses about security?

If it’s time to ask your vendors for their annual SOC reports, reports that deal with organizational controls related to security and process integrity, insurance documents and financials, and you’re just checking boxes to satisfy an audit requirement, then you are doing it wrong.

Follow these seven steps to reinvent and strengthen your vendor management process.

Step 1: Obtain Executive Sponsorship
Vendor management should start at the top. You will need someone leading the charge and who has access to your bank’s board leaders.

Step 2: Create a Vendor Management Committee
These people should be from different departments and have different backgrounds, such as IT, legal, compliance, finance and senior leadership. Diversity here is crucial; everyone sees threat differently.

Step 3: Create a Centralized Vendor Management program
No single person can possibly be responsible for the entire program. It’s imperative that it becomes a collaborative effort.

Step 4: Gain Buy-In
Involving the staff creates a sense of ownership. It’s no longer just IT’s problem; it’s everyone’s responsibility.

Step 5: Create a Vendor Inventory
Make sure you know who your vendors are. Do you have multiple vendors doing the same function? Work with accounts payable to determine active vendors. The normal time span is 12 to 24 months.

Step 6: Categorize All Vendors
Does this vendor have access to customer data? Do they have facilities access? What is our risk if this vendor is compromised? This is where you identify critical and high-risk vendors.

Step 7: Remove the Silo
Save the documents to a shared resource. Everyone involved should have access.

How Would These Steps Prevent the Target Scenario?
Step six says to categorize all vendors and identify the risk. The HVAC vendor seems like it would be a low risk vendor, but when you dive into the level of access it had, you would quickly discover the HVAC should be a high risk vendor. The HVAC vendor was allowed access to the internal network which gave the hackers a way in. Although the HVAC didn’t have access to the customer data, they did have the keys to open the door.

Chris Nelms