Mitigating Vendor-Based Risk- Are you really compliant?

Compliances are becoming a more common headache for organizations.  Regulatory parties are commonly issuing demands and revisions to their compliance structures but yet tend to forget one thing- most companies outsource multiple IT roles to an outside vendor. 

Louisiana Act 117 – Senate Bill 273 was recently signed into law, and requires MSPs that manage infrastructure or end-user systems for “public bodies” to register with the state. This bill further builds on extant breach notification laws as well, requiring MSPs to disclose cyber incidents (including ransomware payments) to the state, putting the onus on them instead of the victim business.” – Kraft Technology Group

https://www.kraftgrp.com/louisiana-legislation-msp-registration/

As states start to pass the first registration requirements to combat the cybercrime attacks, we will see more regulations that start to question what an MSP shall provide and abide by with their clients.  At the moment it is your responsibility to vet if the bidding “IT vendor/ MSP” is a sole person, organized team, orchestrated RMM with automation and using a secured management method to assist clients (just to name a few).

Here is a question for you- With this becoming more prevalent and IT is becoming more sophisticated, who is regulating the IT vendors to ensure they are following your compliance let alone enforcing today’s basic security frameworks to protect themselves from data breaches containing YOUR credentials?

In the state of California, electrical contractors, HVAC contractors and more are regulated to show they have a full education, training program and specific number of hours as a journeyman or apprentice to legally operate in the state.  With this comes the question of data security in regard to compliance- we have a possible cart before the horse!  As an organization searching for an IT vendor, there is full liability on yourself to vet out your next IT services provider.  The state and federal government do not oversee anyone that claims to be an IT services provider, cloud practitioner or even Microsoft partner.  Microsoft, Amazon and almost all services/product providers will allow any user with a computer and ability to fill out a partner agreement orchestrate services without a specialized certification to complete the task.  This has led to the perception in business that IT vendors are as honest and ethical as a used cars salesperson in the 1990’s.  (queue Bernie Mac, aka. Bobby B., from Transformers- who’s Mammy didn’t even like the poor used car salesman)

https://gfycat.com/dentalunequaledcoot

Worst of all, when you do not have a technical resource internally to validate their past performance, required certified accreditations and manage their actions, you will be responsible for the reputation damage and regulatory fines associated with a data breach.

The industry of IT has become a largely diverse group from general help desk and service desk to application development, Cybersecurity, Compliance and more.  Let me ask you this, how many people have completed an assessment of their vendors in the last year?  Most likely none have unless you recently replaced a vendor.  But yet there is still a catch 22 with evaluations, who in your organization understands the IT infrastructure and compliance to make a proper assessment of what your vendors vulnerabilities and risks are and how to make adjustment or plans of actions and milestones to remediate these risks?

Third party IT services- how to resolve misinformation and vendor negligence from impacting your operations or leading to regulatory fines.

Oversight IT Consulting provides vendor agnostic evaluations and IT vendor management services to understand the most important pieces of data and how to create plans to resolve vendor issues. Do you and your vendor follow, at minimum, this simplified audit at least quarterly?

  • The things you feel– how is your service provider responding and remediating your issues?
  • The now– is your vendor ensuring your business continuity and disaster recovery strategies are configured, tested and running?
  • The security– is your vendor reviewing logs and ensuring incident response plans are being followed on a reoccurring basis with you?
  • The compliance– is all of the above being enforced and technical controls abiding by the regulatory mandate (ie. NIST, CMMC, FINRA, HIPAA, PCI)?
  • The tomorrow– the IT budget and infrastructure mapping.  Is your vendor setting expectations of the organization’s goals and ensuring all engineering keeps in flow with it?
  • The resolution– does your vendor set plans of actions and milestones, POA&M, and your organization send Performance improvement plans to your vendors regarding identified vendor related risk or lack of performance?
  • The Tracking– Are you documenting all progress in remediation, performance assessments and vendor engineering to lower your organization’s RISK due to vendor negligence or miscommunications in technical goals?

With this information, we as a community can work to create a standard for third party IT service providers to abide in, report on and work in a partnership mentality.

We all need to reimagine the IT services world as an IT partnership.  It starts with having an IT advocate, specifically to protect your assets, qualify and continually assess your vendors.  Vendor Siloing (the strict adherence to their hired role and not owning the whole network) is going to become a common practice with the upcoming regulation changes and required services for your organization to survive the catalyzed IT transformation.

-Kenji Martinez

Founder and CEO of Oversight IT Consulting, LLC.
Kenji@OversightIT.com
805.991.7772