Vendor Compliance Program (VCP)
ISO 27002 or NIST 800-53 versions available for the Vendor Compliance Program (VCP)
Using vendors or service providers is a common practice - this may range from bookkeeping, to IT support, to janitorial services, to website hosting and even temporary staffing. What all of these outsourced services have in common is that they expose your company to certain levels of risk that could therefore affect your customers' sensitive data. This "soft underbelly" for companies is well known to hackers and identity thieves as a way to get into companies and steal valuable data. The first step to address that risk is to let your vendors know what is required from them - this addresses due care. The next step is to hold your vendors accountable to meet your requirements - that is due diligence. You owe it to your clients to ensure your risks are addressed across your organization and that is where our Vendor Compliance Program (VCP) helps.
With requirements like the Payment Card Industry Data Security Standard (PCI DSS) requiring all companies that accept debit or credit cards to manage the information security risks associated with their own vendors, there is a need for a simple way for a company to inform its service providers of expectations when it comes to managing information security risks. It is a common-sense requirement that businesses should have in place, so that is why there is a push to reduce risk with service providers.
What Problem Does The VCP Solve?
- Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. It is a reasonable expectation for companies to manage the security aspects of their 3rd party relationships.
- Audit Failures - Many organizations run into trouble in audits when asked HOW third-party or supply chain risk is managed, since they cannot provide documentation beyond policies and standards. The VCP addresses the HOW for you!
How Does the DSP Solve It?
- Clear Documentation - The VCP provides the documentation to prove that your vendor compliance program exists.
- Alignment With Leading Practices - The VCP comes in two versions, ISO 27002 or NIST 800-53, so it is written to support the most common security frameworks!
How do you manage information security requirements with your vendors to ensure that you stay compliant?
We listened to our customers and created the Vendor Compliance Program (VCP) that addresses information security requirements for vendors and service providers. This is a Microsoft Word document that allows you to make whatever edits that you need to suit your specific requirements - we built this based on what best practices are and you just make finishing edits to complete it. Once it is done, you can publish these requirements to your vendors to let them know what is expected of them and how you may ask for evidence of their compliance with your requirements.
Our latest version of the Vendor Compliance Program (VCP) includes the following due care requirements that vendors need to ensure they follow, based on ISO 27002 or NIST 800-53:
- Information Security Governance
- Information Security Policies
- Human Resources Security
- Security Education & Awareness
- Information Risk Analysis
- Asset Management
- Identity & Access Management
- Physical & Environmental Security
- System Configuration
- System Monitoring
- Network Security
- Information Privacy
- Malware Protection
- Vulnerability Management
- System Acquisition, Development & Maintenance
- Change Management
- Information Security Incident Management
- Business Continuity & Disaster Recovery (BCDR)
- Processing Facilities
- Vendor Management
See For Yourself - Example Vendor Compliance Program
Don't take our word for it - take a look at the example Vendor Compliance Program (VCP) to see for yourself the level of professionalism and detail that went into it.
|ISO 2702 Version|| ||NIST 800-53 Version|
PCI DSS version 3 requires companies to take an active role in managing risk with service providers
Our comprehensive Vendor Compliance Program (VCP) removes the time constraints and errors associated with trying to generate the documentation by yourself and our product is a fraction of the cost associated with hiring a consultant to write similar documentation for you.
Reducing Risk Is Central To The Vendor Compliance Program
Having a Vendor Compliance Program (VCP) is focused on minimizing risk to your company, your partners and your customers. There is traditionally low level-risk (tactical) that is focused on weaknesses pertaining to routine systems and data. There is mid-level risk (operational) that is focused on weaknesses pertaining to business process. There is also high-level (strategic) risk that impacts at an organizational level. Having a secure vendor relationship can address risk at all three of these levels.
Why Buy Our Vendor Compliance Program (VCP) For Your Compliance Needs?
It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. It is well known that vendors and service providers are weak spots when it comes to network security. Managing risk associated with vendors and service providers is simple due care and due diligence.
In light of the recent credit card breaches at major retailers, it is likely that a crackdown will follow for businesses to follow better IT security. One of the most important points to remember when it comes to compliance is that if you cannot prove you are compliant (e.g., documented policies & standards) then your business will be unlikely to count on business insurance to cover the expense of a breach.