1. By Marty Puzio

2. Overview  How/why this process was developed  Laying the groundwork  Using a checklist  Solidifying the deal  Living with it

3. Creating The Process  Frustrated with “on the fly” reviews  Questions are basically the same for all vendors  Questions differ for application type  Externally developed, externally hosted (i.e. ASP)  Externally developed, internally hosted  Confidential vs. public data  Standardization is necessary

4. Lay The Groundwork  Build the relationship with the business and IT  Earn their trust – this process will ensure their success  Start the process as early as possible  Require this process – not optional

5. Use a Detailed Checklist  Start with a general list, then tailor it  Task vendor with first round  Require security equal to your own policy  Make questions open ended  Test the answers  Access the site  Get an account  Change a password

6. Reviewing the outcome  Review with vendor techies  Implement compensating controls where needed  Make a decision/recommendation to the business

7. Potential Deal Breakers  No encryption  Poor authentication  Refusal to answer questions  Poor security for data transfers It’s all based on your information security standards

8. Solidify The Deal  Have Legal add it to the contract  Make it binding  Include non-compliance clause

9. Living With it – Auditing  Audit the vendor annually  Ask to see proof  Printed policies  Employee handouts  Physical controls  External audit results  Visit the vendor if necessary

10. Track Record  Used with IP management firms, payroll companies, healthcare benefits, expense reporting, etc.  Benefits  Meets most requirements for due diligence  Assurance to senior management  Auditors will be satisfied  Simply a good practice  Many, many others

11. Questions?