@ISACA Volume 15  29 July 2015

Getting Started With a Vendor or Supplier Management Process

By Lisa Young, CISA, CISM

With the increase in outsourcing services and cloud computing use, third-party suppliers and vendors are taking on increasingly fundamental roles in the operation of organizations. As the scope, scale and complexity of vendor relationships and services increase, the risk related to them and the importance of effective vendor management increase proportionately. Managing external vendors and suppliers should be a key competency for every enterprise. Creating awareness within the enterprise about the risk and threats posed by third parties that provide IT products or services is the first step toward effective vendor management. Here are some considerations for getting started on your vendor or supplier management process:

  • Compile and document a list of the most important vendors and suppliers. To determine their importance, begin by reviewing the high-value services and products that your organization delivers. What are your organization’s most important value-producing undertakings? In other words, why do you exist and what are the productive activities that support the mission, vision and values of the organization?
  • Once you have identified the services and products that are most important to the organization, evaluate which IT assets underpin the delivery of those particular products or services. List the supporting IT assets that are most important to the delivery of each service or product. As you mature the process, you can expand the scope to other asset types (e.g., people, information, raw materials, facilities).
  • The previous steps will help you develop a list of the top 10-15 services or products that your organization values most and the IT assets that provide the supporting infrastructure for their delivery. The assets may be owned and managed by your staff, contract staff, a third-party vendor or supplier, or some combination of these. The outcome from this step produces a prioritized list of third-party vendors or suppliers on which your organization most relies.
  • For each critical third-party vendor or supplier identified in the previous step, conduct a review of the agreement and terms under which you operate. This agreement may be called a contract, memorandum of agreement, memorandum of understanding, operational level agreement or service level agreement. This is a good starting point for understanding the suppliers’ or vendors’ obligations to your organization. There are many items to review in the agreements, and additional guidance and a checklist of these items can be found in Vendor Management: Using COBIT 5. Common items that should be included in the agreement are:
    • A definition of the service being provided, the expectations of the supplier, and a timetable for delivery of the product or service
    • Respective responsibilities of the third-party supplier and your organization
    • Provisions for legal or regulatory compliance
    • How disputes will be resolved and/or penalties for not meeting expectations or service delivery
    • Confidentiality and nondisclosure provisions (including how the supplier vets its own staff)
    • Agreement termination conditions (including what happens to any information stored by the vendor or supplier)

Reliance on vendors and suppliers is often part of the normal conduct of business operations. Evaluating the risk to the organization from this reliance on vendors and suppliers is important to the continued success of the enterprise. Failure to manage the vendors and suppliers exposes the enterprise to risk in the form of the costs associated with replacing the vendor, potential revenue loss, exposure of customers’ personal information, and inability to deliver the services and products on which your customers rely.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


ISACA Membership Benefit: Discounts in ISACA’s Bookstore


As a member of ISACA, you receive significant discounts on all resources available within the ISACA bookstore including ISACA exam review materials, results from the latest industry research projects and more.

If you are taking a certification exam in September or December, there is still time to get ready. Your local chapter may host a review course for the upcoming exams. Chapter leaders who are certified and active in their field may be able to provide additional insight. Certified members earn continuing professional education (CPE) hours for mentoring. Please reach out to your local chapter leaders to acquire a mentor, gain knowledge and build your network.

As a member of ISACA, you receive significant discounts in the ISACA bookstore. Order study materials such as the Practice Question Database, Review Manual, and the Review Questions, Answers and Explanations Manual to prepare for the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) certification exam. You can also browse the archived study aids for the CISA, CISM, and CGEIT exams in the eLibrary.

If you currently hold an ISACA certification, your membership helps you retain your certification by providing more than 70 free CPE hours. You can participate in webinars, virtual conferences and take ISACA Journal quizzes to keep your certification active.

Your ISACA membership supports your career enhancements and achievements. Browse all of your membership benefits online in the myMembership tab in your ISACA profile.


Vendor Governance in the Age of Information Security


From businesses to government agencies, nearly every entity contracts some aspect of software development, system integration and hosting services, creating an emerging crisis in accountability. To help strengthen vendor governance policies, ISACA Journal volume 4 author Arian Eigen Heald, CISA, CGEIT, CEH, CISSP, GCFA, provides 5 strategies to ensure better oversight:

  1. Recalculate the risk and cost of secure software development—For many, especially cash-strapped government agencies, cost has been the limiting factor for providing sufficient vendor oversight. Today’s rising incident rates for data breaches, coupled with increased regulations, call for a fresh look at the cost-benefit analysis of putting more resources into vendor oversight. In addition to data breach record costs, there is significant compliance risk in not providing sufficient oversight of vendor activities.
  2. Mandate secure software development—Security controls should be built into every phase of software development, regardless of which software development model the vendor uses. In many third-party environments, security is a much-delayed add-on, and documentation is focused primarily on application development and meeting business requirements. How a software developer builds the development environment is critical to the delivery of a secure application and infrastructure.
  3. Maintain access controls—With adequate resources, a contracting entity can better ensure that vendors implement compliant controls and develop secure software that meets business requirements. Vendors ought not to be allowed to develop in a security vacuum where use of generic administrator identifications (IDs) is the norm and password controls are minimal.
  4. Start configuration management from the beginning—Patching and updating critical system components that work in layers can lead to expensive crashes and downtime when systems are not configured to a single standard across the architecture. A patch may work perfectly on one Linux server and fail on the next because someone made a change to the server that was not documented. When this is replicated across more than 200 servers, the cost to managing updates can become prohibitive and lead to insecure systems. Monitoring changes on systems is much easier when a common standard is implemented. Small changes can also be the first alert of a data breach in progress.
  5. Control logging and monitoring—The organization will want to retain control of audit logs that may contain confidential information, in order to determine whether the vendor is performing activities that are compliant with federal requirements. Logs can be stored at a vendor location without the vendor having access beyond read-only, or can be transferred to another location. Alternately, another third-party vendor could be engaged to perform monitoring activities as long as that party reports to the contracting organization, not to the vendor performing the administrative activities.

Read Arian Eigen Heald’s full article, “Vendor Governance in the Age of Information Security,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.


Book Review: Social Engineering in IT Security: Tools, Tactics, and Techniques

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Social Engineering in IT Security: Tools, Tactics, and Techniques by Sharon Conheady covers the subject of social engineering adequately and succinctly. The book takes a no-nonsense approach to the topic and delves into aspects of social engineering that are missed in other books on this speedily evolving, but critical, aspect of the information age. This book, which contains practical references, covers the history of social engineering, social engineering-related penetration testing and methodologies of countering the threat posed by social engineering. These concepts are explored in simple terms and have minimal technicality so that they can be understood by anyone familiar with the corporate business world.

The book contains detailed guidance on the techniques to self-perform social engineering incursions with effective skills, methods and delivery. In outlining the social engineering attack scenarios with clinical precision, Conheady alerts readers to the type of dangers present in the modern world.

This book is set up to take a critical look at possible oversights. While it may be difficult to always be vigilant, the book reminds readers of the safeguards that, if enforced, could have prevented many losses that have occurred at private and public institutions.

This book has the ability to keep readers’ interest piqued, making it hard to put the book down. The book has a reader-friendly layout that enhances the content. Social Engineering in IT Security has a unique outlook on the subject of social engineering, and it discusses history, psychological perspectives and techniques for readers to use. There is a combination of illustrations, tables and pictures that makes the book visually appealing.

Some of the most valuable aspects of the book are the discussions of the facets of planning, researching and executing social engineering testing. The author goes a notch further by providing insights into writing a social engineering report and then gives a treatise on the trends of social engineering.

The book falls somewhat short in its description of technology as a tool for deploying social engineering and also in its use as a counter for such threats. However, despite technology’s key impact on this evolving threat area, social engineering is more about the people who are manipulated for access to restricted areas and information, and these are aspects thoroughly covered by the book, making it a must-have for all those who wish to stay informed on this hot topic.

Social Engineering in IT Security: Tools, Tactics, and Techniques is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. Etea also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).