Skip to main content

Introduction

A vendor management policy is a way for companies to identify and prioritize vendors that pose a risk to their business.

The policy identifies potentially risky vendors and prescribes controls to minimize risk and ensure compliance with regulatory rules. Vendor management policies are a critical component of an organization’s overall compliance risk management strategy.

The more vendors you share sensitive information with, the more exposed your organization is to bad actors. This guide will help you create a Vendor Management Policy. We suggest that you work with your applicable internal team(s) to assist with development of the policy. See below for the sections you should include when creating your firm’s policy

Please note that policies set some parameters for decision-making but leave room for flexibility. They show the “why” behind an action. Procedures, on the other hand, explain the “how;” they provide step-by-step instructions for specific routine tasks. They may even include a checklist or process steps to follow.

Key Elements #

Vendor Management Policies typically include:

  • A description the purpose and scope of the policy
  • Key audiences 
  • Types of risks and their definitions
  • Vendor assessment process
  • Contractual agreement requirements
  • Process for oversight and ongoing monitoring
  • Policy Review and Approval

Developing the Policy#

Purpose and Scope

Use this section to explain why an Incident Response Policy is needed and which systems, departments, and data it applies to. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Sample Intro: The purpose of this formalized vendor management policy is to provide the company, (“CLIENT”) with a policy that will be followed throughout the organization.  A vendor is classified as a third-party company offering something for sale (Please see list of related terms below).  Use of third-party vendors create a true need for monitoring such entities for baseline compliance measures with regards to CLIENT security standards. Specifically, all outsourced processes, procedures, and practices relevant to CLIENT are to be monitored on a regular basis, which includes undertaking various measures on all third parties and providing critical services. Revenue, regulatory, compliance, operational, information technology, and reputational risks are some of the threats that could occur when using these services. This policy, as well as any relevant procedures will assist in ensuring the safety and security of the organization, its employees, and its network.
  • *The terms “vendors”, “third-party”, “third-parties”, “external parties”, “outsourcers”, “organizations”, and the variant thereof are defined as entities providing outsourcing services to CLIENT
  • Sample Scope: Include list of applicable systems like Internal Systems, External Systems, Users and any other terms. Include definitions of each (as it applies to your firm), for example: External Systems – resources owned, operated, maintained, and controlled by any entity other than CLIENT, but for which these very resources may impact the confidentiality, integrity, and availability and overall security of the internal system resources. 

Key Audiences

Use this section to explain who the policy applies to. It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:

  • This policy may apply to some or all of the following: employees, contractors, external parties, etc.

Risk Types and Definitions

Use this section to explain certain elements of risk that your organization identifies as critical to this policy and a definition of each. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Areas of potential risk to consider: Compliance, Reputational, Strategic, Operational, Transaction, Credit Risk, Geographic, Information Technology
  • Sample Definition: Operational Risk - These are risks arising from a failed system of operational internal controls relating to personal and the relevant policies, procedures, processes, and practices. 

Vendor Assessment

Use this section to explain how your firm will conduct an assessment of your vendors. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Items to consider for a vendor assessment: internal controls to ensure ongoing compliance with regulatory rules; vendor’s business continuity plan; effectiveness of a vendor's cybersecurity program; financial condition of vendor; controls for monitoring The Office of Foreign Assets Control (OFAC) regulations; vendor’s risk and privacy policies; audit reports; reconcile invoices with contracts; vendor's existing physical, technical and administrative safeguards to protect the security, confidentiality, and integrity of customer information; vendor’s insurance policies for effective coverage; vendor's security standards including Payment Card Industry (PCI) policy and certification; vendor's written ID theft prevention program.
  • We suggest creating and maintaining a list of current vendors to accompany this policy.

Contractual Agreements

Use this section to explain how the results of the vendor assessment determines any required contractual agreements prior to commencing services with each vendor. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Legal must conduct a thorough review of the contract
  • Determine the roles, services, responsibilities, obligations, and expectations from all relevant parties.
  • Identify who will approve/sign the contract. For example:  legal senior management,  audit committee(s), officers, or board of directors for both parties 
  • Define financial terms
  • Confirm vendor’s delivery of regulatory compliance audits, security assessments, etc. as needed/requested
  • Required security measures (if beyond what may be standard from the vendor)
  • Other items, including, but not limited to, the following: resolution measures, indemnification, continuation of services, default, intellectual property, etc. 

Oversight & Monitoring

Use this section to explain how your organization will have oversight and monitoring for the services provided by each vendor. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Sample intro: Where allowed by law, CLIENT should reserve the right to monitor the security controls implemented in order to safeguard CLIENT information assets. The controls may include, but are not limited to procedures, training, policies, procedures, hardware, software, internal and external assessments. 
  • Provide an outline or checklist of what your monitoring might entail. Sample content for outline/checklist: procedure, responsible party and notes/comments.

Policy Review & Approval

Use this section to explain how your organization will structure a regular review of the Vendor Management Policy so it stays current. Get as detailed as needed in order to cover specifics that pertain to your organization. See example below to get you started:

  • Determine a cadence for review of the policy for updates (at least annually is a suggested minimum)
  • Keep an audit trail of policy changes and approvals
  • Establish a testing program to test the effectiveness of your policy (in the event you don’t have any incidents but want to ensure the policy is “working”