Vendor Management Policy

Sometimes, a third-party contractor only needs access to certain company databases or permissions. Or, a third party’s services may only be required on certain days of the week. In order to sort out these technicalities, it is necessary for outsourcers to create a vendor management policy statement.

What is a vendor management policy?

A vendor management policy is a risk management technique that manages third-party contractors, vendors, and associates. To put it simply, it is a set of rules or controls that a company has over its third-party vendors.

What does a vendor management security policy include?

A vendor management policy outlines a service level agreement. It should also include controls the company has over the third party, cases when management should intervene, and standards the third party has to meet (which can include compliance standards like SOC 2 and ISO 27001). Equally important, it includes terms that protect the company from third-party risks, such as third-party liability, disaster recovery in case of an incident, and termination of the agreement, if standards aren’t met. It’s similar to an employment contract.

How does a vendor management policy statement help?

A good vendor management policy will help the third party avoid security incidents. If a prospective third-party vendor is not as well versed in the ways of operational security, a policy that dictates the vendor’s work can be helpful in preventing errors in the future.

The vendor risk management policy is the first step a company should take to manage its third-party vendors. One major risk factor involving third-party vendors is the lack of control the company has over them. A third-party risk policy is the simplest way to maintain some control over third-party vendors. 

For example, if a third party is able to perform its work without needing certain company information, access to that data should be restricted, mitigating the damage should that third party suffer a breach. A vendor management policy can restrict a third party’s access to parts or all of the company database. If a third party handles the payment process for a software company, that third party will handle the customers’ information. But a third party that provides some data storage space has no need for customer data. The software company can use a vendor management policy to restrict access to the data.

Why is it important to have a vendor risk management policy?

If a company outsources work, it is mandatory to have a third party risk policy in the present day. With the cost of a data breach being higher than ever, having a comprehensive vendor management policy could potentially save millions of dollars down the road. A third-party breach that leaks company data would also hurt the company’s reputation and lose future customers. 

When developing and implementing your own vendor management policy, some important considerations to note are the following:

  • Defining who/what constitutes a vendor/third-party to ensure you are absolutely covered as an organization.
  • Including clauses on NDA agreements to ensure that all data and information (especially PII) is protected.
  • Defining clauses on acceptable use cases, as well as termination clauses. Termination clauses are in particular very important as they ensure the data (and therefore, the organization) will be protected in the event the two parties cancel an agreement.

A couple of historical examples of the impact of not having appropriate vendor management policies in place include: 

  • Target’s 2013 data breach leaked the personal and financial information of 110 million customers, and was done by a phishing email sent to a third-party contractor. 
  • In March 2021, a third-party vendor working for Volkswagen left the Personally Identifiable Information (PII) of 3.3 million customers on the public web.