1 00:00:00,005 --> 00:00:02,005 - [Narrator] Vendors play an important role 2 00:00:02,005 --> 00:00:04,008 in the information technology operations 3 00:00:04,008 --> 00:00:06,009 of every organization. 4 00:00:06,009 --> 00:00:09,001 Whether it's the simple purchasing of hardware 5 00:00:09,001 --> 00:00:11,002 or software from an external company 6 00:00:11,002 --> 00:00:14,000 or the provisioning of cloud computing services 7 00:00:14,000 --> 00:00:15,008 from a strategic partner, 8 00:00:15,008 --> 00:00:19,000 vendors are integral in providing the IT services 9 00:00:19,000 --> 00:00:21,001 that we offer our customers. 10 00:00:21,001 --> 00:00:24,002 Security professionals must pay careful attention 11 00:00:24,002 --> 00:00:26,005 to managing vendor relationships 12 00:00:26,005 --> 00:00:28,003 throughout the supply chain, 13 00:00:28,003 --> 00:00:30,003 and doing this in a way that protects 14 00:00:30,003 --> 00:00:33,009 the confidentiality, integrity, and availability 15 00:00:33,009 --> 00:00:38,000 of the organization's information and IT systems. 16 00:00:38,000 --> 00:00:40,008 Perhaps the most important rule of thumb 17 00:00:40,008 --> 00:00:42,004 is that you should always ensure 18 00:00:42,004 --> 00:00:44,008 that vendors follow security policies 19 00:00:44,008 --> 00:00:47,005 and procedures that are at least as effective 20 00:00:47,005 --> 00:00:51,002 as those you would apply in your own environment. 21 00:00:51,002 --> 00:00:54,006 Vendors extend your organization's technology environment, 22 00:00:54,006 --> 00:00:57,002 and if they handle data on your behalf, 23 00:00:57,002 --> 00:00:58,009 you should expect that they execute 24 00:00:58,009 --> 00:01:00,007 the same degree of care 25 00:01:00,007 --> 00:01:03,007 that you would in your own operations. 26 00:01:03,007 --> 00:01:05,003 Otherwise, vendors may become 27 00:01:05,003 --> 00:01:06,008 the weak link in the chain 28 00:01:06,008 --> 00:01:10,004 and jeopardize your security objectives. 29 00:01:10,004 --> 00:01:12,006 Security professionals charged 30 00:01:12,006 --> 00:01:14,009 with managing vendor relationships 31 00:01:14,009 --> 00:01:16,001 may think of their jobs 32 00:01:16,001 --> 00:01:18,007 as following a standard lifecycle. 33 00:01:18,007 --> 00:01:21,000 It's not unusual for a large organization 34 00:01:21,000 --> 00:01:23,003 to add on dozens or even hundreds 35 00:01:23,003 --> 00:01:25,005 of new vendors in a single year. 36 00:01:25,005 --> 00:01:28,001 And organizations often change vendors 37 00:01:28,001 --> 00:01:32,006 due to pricing, functionality, or other concerns. 38 00:01:32,006 --> 00:01:35,002 The first step of the vendor management lifecycle 39 00:01:35,002 --> 00:01:37,005 is selecting a new vendor. 40 00:01:37,005 --> 00:01:40,005 Depending upon your organization's procurement environment, 41 00:01:40,005 --> 00:01:43,002 this may include anything from a formal request 42 00:01:43,002 --> 00:01:45,008 for proposals, known as an RFP, 43 00:01:45,008 --> 00:01:49,005 to an informal evaluation and selection process. 44 00:01:49,005 --> 00:01:51,007 In either case, security should play 45 00:01:51,007 --> 00:01:54,007 an important role, contributing to the requirements 46 00:01:54,007 --> 00:01:56,009 sent to vendors and playing a role 47 00:01:56,009 --> 00:02:00,000 in the evaluation process. 48 00:02:00,000 --> 00:02:02,005 Once the organization selects a new vendor, 49 00:02:02,005 --> 00:02:04,008 the onboarding process begins. 50 00:02:04,008 --> 00:02:06,004 This should include conversations 51 00:02:06,004 --> 00:02:08,004 between the vendor and the customer 52 00:02:08,004 --> 00:02:10,008 that verify the details of contract 53 00:02:10,008 --> 00:02:12,006 and ensure that everything gets off 54 00:02:12,006 --> 00:02:14,002 on the right foot. 55 00:02:14,002 --> 00:02:15,009 Onboarding often involves 56 00:02:15,009 --> 00:02:18,007 setting up the technical arranagements for data transfer, 57 00:02:18,007 --> 00:02:20,004 and organizations should ensure 58 00:02:20,004 --> 00:02:23,003 that they are satisfied with the encryption technology 59 00:02:23,003 --> 00:02:25,002 and other controls that are in place 60 00:02:25,002 --> 00:02:27,008 to protect information while in transit, 61 00:02:27,008 --> 00:02:31,009 and maintain its security while at rest in vendor systems. 62 00:02:31,009 --> 00:02:34,002 The onboarding process should also include 63 00:02:34,002 --> 00:02:39,000 establishing procedures for security incident notification. 64 00:02:39,000 --> 00:02:40,008 After the vendor is set up and running, 65 00:02:40,008 --> 00:02:43,007 the security team's job is not over. 66 00:02:43,007 --> 00:02:46,001 The vendor should then enter a maintenance phase 67 00:02:46,001 --> 00:02:49,007 where the customer continues to monitor security practices. 68 00:02:49,007 --> 00:02:53,002 This may include site visits and recurring conversations, 69 00:02:53,002 --> 00:02:57,002 and the review of independent audit and assessment reports. 70 00:02:57,002 --> 00:02:59,005 The maintenance phase will likely also involve 71 00:02:59,005 --> 00:03:01,003 the handling of security incidents 72 00:03:01,003 --> 00:03:03,006 that occur at the vendor site. 73 00:03:03,006 --> 00:03:06,005 If the vendor never reports a security incident, 74 00:03:06,005 --> 00:03:08,001 this may be a red flag, 75 00:03:08,001 --> 00:03:10,009 as almost every organization occasionally 76 00:03:10,009 --> 00:03:15,005 experiences a security breach of some kind. 77 00:03:15,005 --> 00:03:17,006 All good things must come to an end, 78 00:03:17,006 --> 00:03:20,001 and the reality is that even the most productive 79 00:03:20,001 --> 00:03:23,007 business relationships will terminate at some point. 80 00:03:23,007 --> 00:03:25,009 The offboarding process is the final step 81 00:03:25,009 --> 00:03:28,000 in the vendor lifecycle and includes 82 00:03:28,000 --> 00:03:30,000 ensuring that the vendor destroys 83 00:03:30,000 --> 00:03:33,001 all confidential position in its possession 84 00:03:33,001 --> 00:03:37,003 and that the relationship is unwound in an orderly fashion. 85 00:03:37,003 --> 00:03:39,003 Depending upon business requirements, 86 00:03:39,003 --> 00:03:41,003 the lifecycle may then begin anew 87 00:03:41,003 --> 00:03:43,001 with the selection of a new vendor.