processes. Beore adding an I vendor’s product or service to yourorganization’s operational prole, you must rst set your ownstandards or I security, governance and business continuity. Youmay choose rom a ew primary routes or such a policy:1) Adopt the international series o standards, presently theISO 27000 series2) Adopt the ree written policies used by your country’sgovernment, such as the US NIS standards3) Adopt a uniquely created standard. ISO/IEC 27001ormally species a management system to bring inormationsecurity under explicit management control. A ormalspecication means that it mandates specic requirements soorganizations can be ormally audited and certied compliant.While ISO has expenses or purchasing the standards, it’sglobally recognized and provides a well-developed base outlineor an organization to build unique standards around.Te ISO 2700 series are primarily designed around securingand enterprise, but with a little creativity they can be usedor auditing and evaluating your vendors. Te ISO standardcontains 12 main sections that can be mapped specically to theevaluation o any vendor. Tey include:
1. rs assss
—What is the general risk o doing business with the vendor (i.e. nancial viability, technical solution, deployment options andrequirements, etc.)
2. S p
—What is the vendor’s written security policy
3. oz f f s
—Governance o inormation security
—Inventory, classication andprioritization o inormation assets and services
5. h ss s
—Security aspects oremployees joining, moving within and leaving anorganization
6. Ps v s
—Protection o the physical users’ computers and devices and thedatacenter acilities
7. cs ps
—Management o technical security controls in systemsand networks
—Restriction o access rights tonetworks, systems, applications, unctions and data
9. if sss qs, vp
—Building security into applications
10. if s
—Anticipating and responding appropriately toinormation security breaches
—Protecting,maintaining and recovering business-critical processesand systems
—Ensuring conormance with inormationsecurity policies, standards, laws and regulationsNow the real complication is making sure that all yourstandards meet the ollowing criteria:1) actually make you more secure2) can be supported by your organization and properly managed to the standards you document3) ulll your governance requirements so you can provideproper reporting on all the regulatory and compliancestandards your organization is subject to4) continue to be applicable even when the inevitableadversity strikes and your inrastructure, people, and processescontinue to operate at a minimal level to sustain the businessneeds.In order to properly evaluate a vendor, we recommend a simplethree-staged process in auditing and managing the vendorrelationship ongoing. Ultimately, you can use this snapshot todemonstrate regulatory compliance, contractual complianceand adherence to best practices or inormation security practices:
1. c f
—Issue a detailed questionnaire toyour vendors. Tis should be a contractual commitmentin your Master Service Agreement, and the repliesshould be contractually binding.
—Conduct telephone and on-site visits to veriy the responses to the questionnaire and to identiy othergap areas not mentioned by the vendors.
3. az rp
—Dra and deliver a nal reportthat identies areas o strengths and weaknesses asmeasured against your organization’s dened standards.We suggest allowing your vendor to review and providecomments to the report.
4. d ap
—You must now judge i theintroduction o the vendor into your operations lets youto maintain your acceptable risk level or the business.
—Assuming you’re comortable with the vendor, your report provides a point-in-time analysiso the vendor and a risk prole. It should also ulll theollowing: