Compliance Insight with David Schneier

Vendor Management: One Size No Longer Fits All

I'm out in the field this week conducting a series of services for one our clients. At the moment I'm heavily focused on completing a draft of a new vendor management program for them to implement. Although we have a standard methodology that's been used by the practice for several years, I've taken it upon myself to revise and update where applicable.

Based on what we've been seeing and hearing out in the field, the examiners aren't letting anyone phone this one in any more. Our existing approach satisfied the core requirements to be certain, but there were certain elements that no longer appeared as relevant, and there were others that needed to be added. All in all this is business as usual, as we're always working on keeping our services current.

But what's presented itself as more of a challenge this time around is how our solution fits into the client environment. While we've never sold a one-size-fits-all solution, we also never needed to go to any great lengths to customize our approach to match the institution's profile. However with the increased scrutiny being placed upon Vendor Management programs, there's greater pressure to make sure the policy and procedure both address their needs and present themselves as manageable solutions. If there's a field that requires a value on a form template, then the institution needs to fill that in. Leaving it blank or providing a static answer could raise concerns during the exam. We need to make sure that our solution allows the client to decide what needs to be included, understand how to determine the appropriate value/answer and then update the program to accommodate.

Gone are the days where you can buy a solution as-is, run a series of change-alls to make it appear as if though it's unique, distribute it internally and consider yourself compliant. These programs, policies and procedures need to work, they need to address the risks they were intended to, and they need to be solutions that the institution can adequately support.

Try and answer the following questions:

  1. How frequently do we review vendor contracts?
  2. Do we distinguish vendors based on criticality?
  3. What's included in the contract?
  4. Do we have a list of what's supposed to be included in the contract?
  5. How many contracts are currently in-force and active?

If you can't answer all of these questions easily, you need to figure out why that is. You'll also need to figure out how to change the way vendors are managed by your institution, so that the answers are readily available. Because whether you take my advice or you wait for the examiners to weigh in, you're going to need to answer these questions.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.