Vendor Cybersecurity Management
Managing the cybersecurity and privacy risk that is associated with third-party service providers is the "new normal" and is found in most modern statutory and regulatory requirements, as well as private-party contracts. The news is littered with stories of incidents and data breaches associated with third-party providers and that always reflects badly on the company that hired the vendor. People remember the name of the company they entrusted their data to, not the name of the outsourced service provider that actually made the mistakes that lead to the incident.
Can You Honestly Answer How Vendor Cybersecurity Requirements Are Management At Your Organization?
When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as vendor management. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Vendor Compliance Program (VCP) is one of those products.
Proactively Managing Third-Party Cybersecurity Risk
ComplianceForge currently offers one (1) product that is specifically designed to assist companies with proactively managing risk associated with third-parties / vendors / suppliers:
The Vendor Compliance Program (VCP) is an externally-focused document that is tool for organizations to manage cybersecurity risk with its third-party providers. There is are two versions of the VCP - ISO 27002 and NIST 800-53 since these are two of the most common security frameworks that companies align to.
It is never recommended to share your complete policies and standards, since those documents can possibly leak sensitive technical and/or business information that could negatively impact your organization. The Vendor Compliance Program (VCP) solves that problem by creating a shareable document that focuses on the industry-recognized leading practices that you expect your vendors to follow (e.g., NIST 800-53, ISO 27002, PCI DSS, HIPAA, etc.).