Adding An IT Security Assessment Gate That Respects the Limited Time of the Chief Compliance Officer

close up of a pocket watch

Published on

Published by

Category

Share This:

Dear Chief Compliance Officer,

Who in your organization is managing the IT Security Assessment process? What role do you play? Are you a decision-maker? Consulted? Informed? Are you comfortable with the information that you’re receiving RIGHT NOW?

Remember, the goal of any Vendor Management Program is to help your organization make an informed decision about partnering with a vendor. The goal of the IT Security Assessment gate is to ensure that vendors have adequate IT security controls.

We at CyberSecurityBase are rockstars in this area. When we perform an IT Security Risk Assessment on behalf of our clients, our deliverables are:

  • a 1-page executive summary (for YOU and your peers) 
  • a 2-3 page write up (available for YOU, should you ever need to see the details; this write up is primarily available for the relationship owner to understand the findings and make decisions on the recommendations, and lastly, for Legal to stay in the know of any security terms that need to be considered for the agreement)
  • a folder with supporting documentation (this also makes it to the vendor file as workpapers, and keeps the auditors happy)

The Coveted 1-Page Executive Summary

We deliver this to our clients during our monthly Vendor Management Update. It includes a list of identified security risks, options for mitigating that risk, our recommendation, and the relationship owner’s decision on handling the risk. This approach empowers the relationship owner to make a decision, keeps you in the loop without creating a bottleneck, and provides an opportunity for you to share input before the due diligence period closes out.

Let’s unpack a few things. There is a framework that allows us to take a vendor, pass them thru the IT Security Assessment gate, and produce a 1-page executive summary just for you. Our framework requires the following:

  • An understanding that your time is limited, you don’t have the bandwidth to read IT Security Assessment write ups for all the vendors, but you want to be involved when a team member is bringing on a vendor that will create a high risk for the organization. As the Chief Compliance Officer, you are responsible for overseeing compliance within your organization and ensuring compliance with laws, regulatory requirements, contractual obligations, policies and procedures. IT Security risks certainly create compliance risks and you need to be involved when it is likely for a 3rd party vendor relationship to turn into a high risk for the organization.
  • A relentless obsession to serve the relationship owner and “keep up” with their pace. Remember that the relationship owner is working on solving a problem and they are fairly certain that the 3rd party vendor can help. The IT Security Assessment Gate should provide the relationship owner with a list of any IT security gaps and actionable steps that the vendor (or the implementation team) can take on and address. In most cases, the relationship owner will agree to take that on. And if they don’t, there’s a safety net at the end of the due diligence process, for you (the Chief Compliance Officer) to ask why they think their decisions are appropriate. 
  • A standardized IT security benchmark that aligns to YOUR organization’s Information Security Policy. Your Information Security Policy captures the baseline requirements and any 3rd party vendor needs to be assessed around the relevant IT security controls. That’s right, not all IT security controls, only the ones that matter. 
  • A workflow that involves gathering input from multiple groups in your organization. This must include the vendor, the relationship owner, Legal, Security, and in some cases, IT and Compliance. This allows the team to understand the vendor’s IT security controls and make an informed decision about the findings. A decision that is contextual and not based on a 100-item questionnaire filled with generic security questions that probably don’t apply.

CyberSecurityBase is here to help companies eliminate their backlog of 3rd party vendor IT security assessments. Should you need outside help in this area, leave a comment below so we can reach out to you.

Rocio Baeza

An information security compliance professional specializing in the FinTech space. She has over 12 years of experience in the online payday lending industry and tech startup culture. Rocio enjoys listening to podcasts and bicycling with her family.