A Proven Strategy for Implementing Vendor Management Programs

December 10, 2013, Andrew Hicks, Managing Principal, Coalfire

Every regulated industry includes a requirement for managing third-party risk.  Some industries are further along the path and have more mature processes than others.  However, there are tried and true methodologies and standards established by those early movers that we can utilize across other regulated industries.

Regardless of the industry (e.g. healthcare, retail, utilities) the core requirements for vendor management programs are listed below:

  • Identify and document all vendors (third parties) that collect, process, store or maintain access to sensitive data and / or critical systems;
  • Conduct a risk assessment for each vendor to establish thresholds for baseline controls (some industries introduce a concept of boundaries and control levels from high to low);
  • Require all vendors to acknowledge their responsibility to protect sensitive data and / or access to critical systems through a vendor agreement (if regulated, the compliance standard of the enterprise is extended to the third parties); and
  • Implement an oversight program to ensure the vendor complies with the terms of the vendor agreement and / or regulatory requirements (varying levels of risk or compliance reporting is required in some industries).

While the definition of applicable controls appears to be straightforward, implementation of those controls requires a higher level of coordination due to the fact that most vendors support multiple organizations and have a mix of compliance obligations, often in different industries with different regulatory requirements.  These vastly different industry requirements (e.g. PCI, HIPAA, GLBA) are where the confusion and difficulties arise in managing vendor compliance.  To put it succinctly, there is no silver bullet for managing vendors across the regulatory compliance ecosystem. 

While eGRC tools may seem to offer an all-encompassing solution to help organizations with their inward GRC posture, they are not agile enough to manage the complex web of vendor compliance that is commonplace in many organizations.  Additionally, they can easily carry a six-figure entry cost and require a full-time, dedicated staff to maintain.  Though eGRC tools can be used to successfully manage and monitor an organization’s internal control posture, managing external vendor regulatory compliance is better accomplished by more affordable, purpose-built applications that offer a consistent methodology for assessing vendor risk and are subject to an independent oversight program.

As we have seen, other industries provide lessons learned on how to effectively manage third-party risk through the implementation a of a well-defined, third-party control framework and assessment tools.  Take for example the experience of the banking sector.  The first group of bank service providers was initially requested to join the eGRC programs on behalf of the enterprise organizations (banks) to comply with their enterprise controls.  Those enterprises even tried to manage their vendors as if they were just divisions within their own operation.  These programs failed miserably because the enterprise organizations tried to implement a consistent set of controls for all service providers (vendors) regardless of the industry sector or regulatory requirements. Both the service providers and enterprise organizations learned that the vendor risk assessment process must drive to a consistent control framework for each industry and be subject to program oversight. By doing so, the enterprise provides the framework and control set to operate in a consistent manner across all compliance arenas in which it operates.  The only remaining question is, “How can each enterprise manage the risk to its specific environment?”

The solution identified by the banking sector, as well as the retail (PCI) environment and most commercial organizations (SSAE16 / SOC2), was to standardize on a specific (sub) set of vendor controls for all service providers.  Standardization enables service providers to focus on managing their applicable controls in a way that both mitigates risk and achieves regulatory compliance.  To ensure that the service provider has actually implemented the controls effectively, those same industry programs require the vendor to either complete a self-assessment questionnaire or obtain an independent validation for those controls.  In either scenario, evidence of control effectiveness is required rather than solely relying on the vendor’s verbal attestation.

Enter HIPAAcentral, a healthcare compliance exchange developed by Coalfire to fill the gap between the breakdowns of today’s eGRC tools and the difficulties in managing downstream vendors.  Specifically, HIPAAcentral is strategically placed between the covered entity (CE) and business associate (BA) as a way for CEs to effectively manage the risk and compliance posture of its downstream BAs and subcontractors that create, receive, maintain, or transmit protected health information (PHI) on its behalf.  Additionally, it allows BAs and subcontractors to complete one assessment, provide supporting control evidence, and share the results of that assessment with multiple upstream organizations (covered entities).  In other words, HIPAAcentral is a top-to-bottom, purpose-built compliance platform for the healthcare industry that is efficient, affordable, and comprehensive.

Yes.  Finally, there’s an app for that.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics