The Proper Way of Assessing BCP/DR Readiness When Your Company is Performing an IT Security Risk Assessment on a New 3rd Party Vendor

magnifying glass highlighting gears

Published on

March 23, 2020

Published by

Rocio Baeza

Category

Share This:

The coronavirus is teaching us an important lesson on the value of business continuity planning and disaster recovery. Say your company is assessing this area for a new 3rd party vendor. This is usually covered in the IT security risk assessment step of due diligence. There are 2 very different ways of addressing this: 

Option 1 (The Wrong Way): Ask the 3rd party vendor the following question: Does your company have a business continuity and disaster recovery plan? (Y/N)

Option 2 (The Right Way): Break this out into a 5-step process:

  • Review your company’s list of critical business functions: This is a list of functions that need continuity in the event of a disruption. Your job is to determine if the 3rd party vendor will be playing a role in any of your company’s critical business functions. 
  • Ask the business owner to confirm if you have correctly understood the 3rd party’s role in supporting a critical business function.  
  • Ask the vendor the following questions: 
  • What standard SLA’s do you provide around [insert list of critical business functions]?
  • Does your company have a business continuity and disaster recovery plan to ensure your ability to meet these SLAs?
  • When did your company last perform BCP/DR tests for these specific SLAs? What did the test reveal about your company’s ability to meet these specific SLAs? 
  • When will your company next perform BCP/DR tests for these specific SLAs?
  • Share findings and recommendations with the business owner. A business owner has identified this 3rd party vendor because they believe that they can help solve a problem. They would certainly want to know if your assessment has revealed information about the vendor’s inability to support the company, in the event of a disruption.
  • Share a summary of findings and next steps with the executive team, highlighting the 3rd party vendor’s cooperation with the assessment. Most 3rd party vendors will want to do the right thing, be truthful in their responses, and be willing to work with you to strengthen any weaknesses. Those 3rd party vendors that respond differently should raise a red flag, so that the executive team is aware and has the opportunity to override the business owner’s decision.
  • Document all this information and file in the vendor’s due diligence file. This is good supporting evidence that would demonstrate the due diligence performed on the 3rd party vendor. Should there ever be any issue down the road with the 3rd party vendor, this documentation may prove to be tremendously helpful for handling that issue.

Our prediction is that 3rd party vendor BCP/DR assessments will be under increased scrutiny once we have recovered from the coronavirus pandemic. What that happens, be sure to update your 3rd party vendor management program to do this the right way.

Companies hire CyberSecurityBase to eliminate their backlog of 3rd party vendor IT security assessments. Should you need outside help in this area, leave a comment below with a request to get in touch or send us a direct message. We look forward to hearing from you.Report

Rocio Baeza

An information security compliance professional specializing in the FinTech space. She has over 12 years of experience in the online payday lending industry and tech startup culture. Rocio enjoys listening to podcasts and bicycling with her family.