Each month through 2021, The Morning Breach is going to tackle topics to help businesses better protect themselves against cyber criminals. The first thing that needs done with any changes to a cybersecurity plan is proper and updated documentation, so it makes sense that throughout January we focus on the policies and procedures that every business should be documenting. Not only will we talk about them, but you will be able to find samples of them available at themorningbreach.com for you to download, edit for your organization, and implement. If you don’t take the time to properly build this documentation, then you have no way to gauge how secure your data actually is.
The Data Security Vendor Checklist isn’t a policy but it’s critical document that you should have on file for every vendor that has access too or stores your data. You need to understand how these third parties treat your data and the access you are trusting them with. Simply look at the Blackbaud breach in 2020 as an strong enough example.
So who should you have complete this form? Managed service providers or your IT vendor, printing companies, line of business applications, and any vendors that are used to monitor, manage, and protect your networks.
You want to start with building a technology org chart, list what vendors and applications you use and what you use it for. If they connect to your network, access your data, or store your data in the cloud – that should be your starting point.
As you receive these you want to want to understand if they are collecting any PII related data as that can trigger a completely different set of breach notifications. How the data is collected, how it’s stored, encryption methods, the vendors compliance frameworks and certifications, and a policy review should be completed. SOC2 certifications review these policies, so you should be ok if they provide you the SOC2 final audit report.
Before you ask yes, over the next four weeks we will be working on creating those same policies you are requesting from your vendors, because you should have them on file as well.
If you are contracting with a managed services provider or IT vendor, get them involved in the process as they can likely speed up the process with the vendors, but you want to want to have them list the applications and services which are deployed to protect your network and data. They should have vetted their vendors already, and if you trust them to deploy the tool on your network then you should trust their judgement on why the tool is needed. If you are in healthcare, finance, or government ask to review the security documentation for those vendors, but be prepared to sign NDAs as most vendors will require it to protect their own security stack.
If you have any questions, let us know via This email address is being protected from spambots. You need JavaScript enabled to view it.
