Rob: 0:00

Hello and welcome to the Van Rein Compliance Podcast. I'm Rob.

Dawn: 0:03

And I'm Dawn.

Rob: 0:04

And hello Dawn, we're back. No, we're back. We're back for another week of fun podcasting fantasticness.

Dawn: 0:11

Yes.

Rob: 0:11

This week we are diving into vendor oversight, and it's more than check the box, Because why, Dawn, are we diving into vendor oversight this week?

Dawn: 0:21

Because it is a huge gap that we're seeing right now in compliance.

Rob: 0:25

Yep, major gap. We're going to dive into what vendor oversight is this week. We're going to dive into why the third and fourth party vendors are the biggest risk to your business, to your data and financial loss when they have a data breach. So we're just going to dive right on in. Let's do it Well. First on, why don't you explain what vendor oversight really is? Since you're the intellectual one, take us through, teacher.

Dawn: 0:49

It's if you have basically third-party vendors, cloud providers, data processors or vendors who have their own vendors. That's really what this is. So you want to make sure that any vendor that you work with that handles your data or your customer's data has data security in mind and has a good data security posture and that has been vetted by you, and that you have the proof of their data security before working with them.

Rob: 1:20

Before is the key piece so when we do audits, like, for example, say you're a oh let's see, let's say you're a health provider, right, and you're working with an EMR which is a step away from you. So you've created the record, you've put it in EMR, and then if that EMR is using an AI scribe in the backend, there's a third step. And if that AI scribe is using AWS or GCP or something else, there's a four-step. Those are four steps of risk to your business. Those are four actual security audits you should do. And there's actual legislation recommendations this year by Kennedy himself to strengthen security postures and actual audits. So think of the hub-and-spoke thing. It just keeps growing and growing.

Rob: 2:03

Any of those third or fourth-party vendors or data processors are actually going to give risk to your business. Yes, yep, you sound very excited about. Yes.

Dawn: 2:14

Well, it seems it's common sense.

Dawn: 2:16

But in going through audits and it is definitely something that people tend to look over. They say, oh well, this cloud provider or this person they're either a friend or they probably they're a big cloud provider, so I'm sure they're fine, but they don't bother checking. Now let's be honest. Aws you can go to their website. They have a trust center. You can see all the certifications they have. They know what they're doing.

Dawn: 2:41

But if you are going to, you know ABC data center. I mean, do you if they don't have any certificates available? If they don't, you know if they're very shady that type of thing then you probably want to stay away from that. You want to make sure you know who you're putting your data with, because if there is a breach, anything happens, you have to make sure that you know what the recourse is and what they will do to help you know what the recourse is and what they will do to help you know get that, get the data back. You know restore it and and know what their process is. So it's, it's pretty um, it seems like common sense, but honestly, it is amazing that who people use and and that they don't bother to vet who they're using.

Rob: 3:19

the piece to, kind of the oversight piece, is the constant uh, the constant relationship you build and the actual reviewing of how the data is processed and moved through the organizations at all times. It's not just a one and done, it's not just that we're going to get this done and move forward. You may do a security questionnaire today, but are you going to follow that up in a quarter? Are you going to follow that up in six months?

Dawn: 3:42

or how about a year?

Rob: 3:43

and do an annual audit, so you really need to get a good system of every. I would like to see quarterly, depending on the amount of data getting processed and the type of data monthly to quarterly audits and just reviewing and having a constant oversight into everything.

Dawn: 4:02

Yep, and you should keep a third party register. You should have a third party, a supplier register of who your suppliers are, what certifications they have, how long your contract's for, who your contact there is. You should keep all this information and it's very surprising A lot of people don't do this. You should keep documents of what you've contracted with them so you understand their contract and their terms and you understand what their compliance posture is. So do they have an ISO? Do they have a SOC 2? What do they have? Do they have high trust? And keep a list. You should have a simple spreadsheet of who your suppliers are and what your contracts are and that type of thing, Because if you need someone to look something up and something's happened, then you know here's our contract, here's here's who, who we, who, who um, who the supplier was, and you have all the information right there in a spreadsheet. It's as simple as that.

Rob: 4:57

Yeah, and and your reference back to AWS or even GCP or Microsoft or any of the large you know data model, uh, data, even GCP or Microsoft or any of the large data centers, even though they have a SOC 2, or an ISO or a high trust. You've got to verify that it's valid. For example, there is a data center that a client uses that we requested their SOC 2. I received it actually Friday, because we recorded this on Mondays and it was two years old.

Rob: 5:22

It was expired, so they don't have a SOC 2 because it expired. So, you've got to hold people accountable and you've got to revet that then. So now I got to go back to our, our client, and our firm says now you have an expired certificate. What are they going?

Dawn: 5:35

to do.

Rob: 5:35

Or an examination. Sorry, soc 2 examination.

Dawn: 5:38

Oh gosh, examination Everybody's going to get upset and that's a whole nother. That's a whole nother podcast is when people think they can just go do it one year, get the seal, get the patch, get the logo whatever it is, and be done with it. You have to. You have to annually audit, annually audit, examine whether it's SOC, iso, hitrust, hipaa, and you can't just put it on your website that you're compliant because you did an audit once or you took a training module once. That's not how this goes. That is not that. It's not a one and done, and so you wouldn't want your vendors that have all your customer data do that. Right, you know I mean, it doesn't make sense.

Rob: 6:16

Is that kind of where you say like it's you know. That kind of next piece is like where do you see companies fail? Right, so we now perform SOC two and ISO and high trust and NIST audits and the whole boatload more coming up. Where you know, where do we see people fail? Is it that due diligence you know? They kind of like set it and forget it, which once it's forgotten, it always fails. Or contracts I'm seeing contracts fail. What about you?

Dawn: 6:41

Well, your compliance program is based on your compliance and how secure your data is, and it doesn't stop with you and on your PC or your Mac. It goes deeper than that. So, in digging in these audits, finding out that vendors that they use don't have much compliance, and that's pretty scary. It's pretty scary. You're trusting your data to be backed up and restored by someone or something that doesn't have the compliance backing. So you need to pay attention to this and if you want to do a SOC 2 or an ISO or a high trust, you need to make sure you're working with vendors that they uphold data security to a high standard. To the standard I mean the standard that everyone should honestly is having that certificate that they have the program in place.

Dawn: 7:28

They have policies and procedures in place and they actually have them implemented and they actually do them, and that's the other thing is that they're actually walking the walk. So keeping that list, doing a quarterly or annually audit of who you are working with, who your vendors are, making sure that they still have their certificates updated and they're still doing what they need to be doing, and giving them a questionnaire I've given our customers questionnaires to give to their vendors.

Dawn: 7:56

So happy to do that, happy to give our customers that are listening to this a vendor questionnaire. Give it to your vendors, have them answer it. We bill them all the time we see what you know and we get them from, from our customers. They they're auditing you.

Rob: 8:12

You should audit them, so yeah, and the other thing we see too is when people someone leaves, right, so someone leaves the company then the um, the relationship is gone. So you know, steve left and then now there's tiffany, and tiffany's got to build a relationship and she's new or she's trying to get her feet underneath her and drinking from the fire hose and get on board. That relationship usually fails for a bit and then it gets rebuilt if it's good.

Rob: 8:37

And that's where I see gaps as well, because then we'll come in and audit and we'll say how about this data center or this program or this third party that's processing data, what you know? What does that look like? And and what are the? What is the audit? Uh, what is the audit? Evidence, because now it's all about evidence and that's how we audit is all about evidence-based auditing.

Rob: 8:56

So you can't just say sure I have that says okay, show me your business social agreements. Show me your data encryption standards. Show me your disaster recovery plan. Oh, and how about you show me that you actually tested it?

Dawn: 9:07

That's the one thing people go, oh yeah, and that's a whole nother podcast, as well as disaster recovery and instant response. The other thing is is if you change vendors we have customers all the time change cloud providers or go from you know on-prem servers, so they're going from a regular data center to an AWS or Google Cloud or Azure or something like that. So when you change your vendors so, and you leave that vendor, are you off-boarding with that vendor? How are they off-boarding you? Did they delete your data? Did they extract all your data and give it and hand it over to you? Do they still have that data? That's an interesting one, too, because hand it over to you. Do they still have that data? That's an interesting one too, because you don't want to leave, obviously, your data over there and you want to make sure that they have deleted it or extracted it and then it's off their server system software, whatever it is. So that's another thing. Is offboarding making sure you've done your due diligence on that.

Rob: 10:02

Yep. Has the data been deleted? Has it been given back to? Your client, and then the client's got to answer to their customers. You know, it's the chain of custody with data, making sure that it's where it should be and not just where somebody thinks it is. Oh, yes. Well, now we've talked about. We've talked enough about the bad. Now let's talk about the good. What is a good vendor oversight program and third and fourth party vendor vetting look like I think the first thing I'd like to start out is just ownership.

Dawn: 10:29

Who owns it?

Rob: 10:30

Who owns the relationship Is? It procurement, is it IT? Everything's IT usually, is it legal I've seen it legal, I've seen it in HR, I've seen it somewhere. But someone has to own the vendor relationship and they have to own vetting and doing data security audits within those third and fourth party vendors. Now for our clients that have our VSO services. We will do that vetting on their behalf. So we'll go through all of that and keep them on track and expand that program so that their third and fourth party vendors are vetted as well.

Dawn: 11:06

Yep and also make sure who not only owns a relationship, but also we were talking about access who has access? That's an interesting one when you go through some audits.

Rob: 11:14

Everybody has access. Who can?

Dawn: 11:16

access.

Rob: 11:16

Is that bad?

Dawn: 11:18

Who can access. Who can access AWS, who can actually get onto it and who actually has access to looking into it, because not everyone, not the compliance officer, has access to. Everything Could be managed by their MSP who has the admin rights and has access to to that dashboard and can can look at those access logs and that type of thing. So that that's another piece of this too is who owns the relationship, but also, then, who has access to those vendors.

Rob: 11:45

Yep, and kind of a side deviation from this is not only access your vendors, but also think about the access from your employees, or that you onboard an off board. So don't forget that piece as well. Oh yeah, making sure that they have only the amount of data and the access amount of data that they need. That's the key pieces.

Dawn: 12:03

Definitely is.

Rob: 12:04

The other pieces is track, artifacts and expiration dates. So that's a fun one we like to do. So basically it's tracking. You know what was the date of their last SOC 2 report? What was their date of the last HIPAA audit, which is required by law? Is it analysis? When was that and was it documented? And those are the key dates. It has to be done annually at a minimum, or sooner.

Rob: 12:27

If you make a significant I can say that change to the environment and where the data sits, you've got to make sure of that. Same with insurance certificates and even penetration tests. Those are big pieces too, because I know the folks who work with that. We have our pen testers involved. It's the date and time. That's it. It's only good for usually a year or sometimes six months, depending on the organizations, then validating SLAs and contract compliance.

Rob: 12:54

So that's a big one where I'm starting to see contracts that get renegotiated, sometimes during the contract, or maybe one year, 18 months into the contract. Then they'll start cranking down on service level agreements or contract compliance. They'll just throw in you've got to meet PIPA and SOC and ISO, or they'll just throw in PIPEDA, or they'll throw in GDPR, or they'll throw in UK GDPR, whatever that looks like, they put that in there. So you've got to be very good on your contracts. Even all the big kids on the block, you know the Amazons and all that. They'll change those quickly, you know. Think about your Netflix terms and conditions. Those change all the time don't they.

Rob: 13:30

So you've got to keep an eye on your. What about documenting everything? You're always good at this. You're better.

Dawn: 13:36

Oh yeah, like I said, you've got to document your vendors. You've got to document all this, the contracts, who manages the vendors, who's got the relationship. You've got to show it's documented because for SOC 2 and for ISO 27001, you need to have a third-party supplier register. It needs to document this. It's very important. You should keep a list it's kind of like assets, your asset inventory of who's got what laptop and what workstation. Very important, so you should keep a list. It's kind of like assets, your asset inventory of who's got what laptop and what workstation.

Dawn: 14:06

Very important, so along the same lines. But this is important for all those that work in security, not just the compliance officer, but your IT security. We all need to know what suppliers are that we're being worked with, so for everyone to know what security looks like and what the contracts look like. Yep, yep.

Rob: 14:28

Definitely Read the contracts and if you don't like to read the contracts, have an attorney read the contracts. If you don't want an attorney to read the contracts, and you have other ways to just skim through it, like if you don't have time to read it, all I like to do is just search and find, like, what is a termination agreement? What are some of the third-party requirements, or just google. You know not google just search for hipaa or sock to or iso or nest or gdpr.

Rob: 14:53

Just do a quick find in the contract and see what's there and then, um, something pops. See if they're going to require it. The other area contracts is your uh insurance minimums. I'm starting to see two. They're going to require it. The other area of contracts is your insurance minimums. I'm starting to see $2 and $5 million cyber insurance requirements minimums required. It used to be $1 to $2 million, now it's up to $5 million because breaches have gotten bigger and they've gotten more significant.

Rob: 15:15

So those are big, definitely big, big areas there. So what are we? You know, we're just trying to give some framework, like what are what's some of the takeaways, dawn, that listeners can take back to their?

Dawn: 15:29

organizations and really fine tune their vendor oversight program. The, like I said, the vendor register. It's. It's keeping a spreadsheet of all the vendors, who owns it, all the contracts where they are. Keep a folder. You know, file folder, obviously on your not on your desktop or anything, but you know a encrypted file folder of all your agreements You're going to get out your old manila folders and print everything out. And this goes with BA agreements.

Dawn: 15:54

I mean if you're one of our HIPAA customers, you need to keep a list of who you have BAs with and you need to keep the agreements. So you have signed agreements and you know you can look up. Oh, yeah, we have that Insurance documents. Same thing is keep those all in one place. You know, put notes in, make sure if you're reviewing and auditing the vendors, keep copies of their vendor assessments and, you know, keep copies of, if you're reviewing other ones, your notes on that. So if you guys switch, switch vendors, you've got some notes. You. You understand why that type of thing. So it's really documenting where you're at with everyone and keeping track of those contracts and making sure that you're auditing, looking at that at least every year. Yeah, minimally.

Rob: 16:37

Uh, and then also um the escalation paths. Vendors will fail.

Rob: 16:41

That's just life right, it's like you'll run out of gas or you'll run out of charge or you'll AC will die when it's 110 out. Yeah, we've had that happen Things die. So what happens and what do we do? What is the escalation path? So making sure you know who do we contact, what's our incident response plan, who do we call when things break or when we have an incident. And let's start with an incident and then move into decide if it's a breach or not, because there's two different directions to go. Understand who's out on your team and build that team out. And then go ahead and make sure you have the frameworks in place so you know how to have your risk register, how to have your diligence package, you understand where everybody is and keeping those reports together, review the trackers. Escalation path and then offboarding process. Those are the five steps. So the offboarding is key too. So make sure if you remove a vendor, immediately remove all access, remove all the data, retrieve the data.

Rob: 17:35

I'd like to back it up with an offboard the data and revoke all credentials immediately, because that's a huge risk to every company. That we see out there today is just that they're just, they're not cleaning up the offboarding or you have an employee leave, you got to go ahead and clean that up and make sure all access is deleted immediately.

Dawn: 17:52

Good.

Rob: 17:53

So another nugget that I just thought of is this is kind of homework for the listeners. So if there's something you could take out of this is this is, I would say pick your top five vendors.

Dawn: 18:03

Five is a good number.

Rob: 18:04

So take the five vendors that you work with and review them. Ask who owns the relationship, ask when the last review of their relationship and contract was done, and can you prove it? Do you actually have the evidence in place in hand? You have to have the evidence now in hand to be able to state that, yes, they've been vetted and that they are a good fit for the organizations and have your best interest in mind.

Dawn: 18:28

So those are the good starts, you don't?

Rob: 18:30

need a multimillion dollar tool. Use a Google Sheet, Excel spreadsheet, whatever Just document and put it together. Yep.

Dawn: 18:36

Absolutely.

Rob: 18:37

Any closing words. Dawn as we wrap up this week.

Dawn: 18:39

That's it. It's very important Document Write on as we wrap up this week. That's it. It's very important Document. Write it down. That's it. No, that's a good, that's good. Homework is is see if you can do that. Pick your top five.

Dawn: 18:48

See if you have all the information. Do you have a contract? Do you know? Do you know if they're SOC 2, iso, hitrust? No, know if they've got any certifications. And you know who your contact is. Do you know how to get a hold of them? Yeah, and when did you review them last? Have you been with them since 1999? Okay, well, have you reviewed them Well? No, well, maybe you should. Are they upholding their standards, their SLAs, that you signed up for in 1999?

Dawn: 19:11

You know, things have probably changed. So that is a very, very good start, and from there you can know where you are and you'll learn to keep track of this. And so you can tell your customers yes, I know who my vendors are. Yes, my data is secure. Yes, I have looked at all this and I feel confident. And then your customers will say, oh good, because then I trust you, I trust that you're confident, so I trust that where you store my data, that we're good. So it's a good place to start.

Rob: 19:43

There you go, there you have it. We got it together.

Dawn: 19:46

There it is.

Rob: 19:46

Well, there you go. Well, thank you everyone. Thank you everybody. Well, thank you everyone for joining this week of the Bannerang Compliance Podcast and take these items back to organizations and go ahead and dive into those vendors Until next week.

Dawn: 19:59

Bye-bye.