Know Your Vendors: The Importance of Comprehensive Risk Assessment Programs

McGuireWoods LLP
Contact
LinkedIn
Facebook
X
Send
Embed

As companies continue to explore new outsourcing and cloud services models in search of improved cost and productivity efficiencies, service providers are being asked to handle increasingly sensitive types of data. However, some customers are not seeking heightened security measures from their vendors to safeguard this sensitive data.

A recent study by Gemalto regarding The State of Payment Data Security provided some telling examples. More than half (55%) of the IT security practitioners surveyed did not know where all of their company’s payment data was stored or located. 59% of the responding IT security practitioners said that their companies allow third-party access to payment data, but, of those, only 34% require the use of multi-factor authentication to protect such data. The study also found that less than half (44%) of those surveyed use end-to-end encryption to secure their payment data.

This was emphasized recently in the Online Trust Alliance’s (OTA) 2016 Data Protection Breach and Readiness Guide, where the OTA included among its key lessons the important reminders that “security is beyond your walls” and that the level of protection required for data should be determined by taking into account the nature and sensitivity of such data.

In keeping with this concept, companies should be looking to develop comprehensive vendor risk assessment programs to make sure their sensitive data is protected, even when outside of their immediate control. An effective risk assessment program is an ongoing operation and should include:

  • understanding the nature of any data which a particular vendor may be able to access or store;
  • conducting risk assessments as part of the vendor selection process prior to awarding a contract;
  • making vendor security capabilities part of the key decision criteria for any RFP or other selection process;
  • requiring robust and specific data security protections within the contract itself; and
  • continuing to review vendor security practices and to assess compliance with contractually-mandated measures on a periodic basis over the term of the entire vendor relationship.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© McGuireWoods LLP

Written by:

McGuireWoods LLP
McGuireWoods LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide