Vendor management is a crucial element of a bank's information security program. Proper due diligence includes, but is not limited to, an evaluation of the vendor's financial statements, business continuity planning and testing, legal and regulatory obligations, history and reputation, and independent audit reports. Typically, this evaluation is performed when selecting a new vendor and then periodically throughout the vendor relationship. A complete vendor management program should also include ongoing oversight of the vendor.
Vendor oversight is a commonly neglected element. In fact, it is not unusual to see a company place too much trust in a vendor's security practices, and the nature of the relationship itself is often a contributing factor. Typically, vendors are contracted to do work that bank personnel either lack the time or expertise to complete. As a result, ongoing oversight and follow-up verification are often ignored.
One common issue is the loosening of account and password controls for vendor accounts. For example, a shared account may be created and used by everyone in the vendor's organization. Account passwords may be set to never expire to eliminate the burden of creating and remembering new passwords. Elevated privileges may be automatically assigned to new vendor accounts. All of these efforts aim at increasing convenience, but result in lack of security.
Vendors often require remote access to the network and user accounts with elevated or administrative privileges. For these reasons, user account controls should, at a minimum, meet the same technical requirements applied to employee accounts. For starters, ensure the following technical account controls for vendor accounts conform to the bank's policies:
- Complexity requirements
- Change frequency
- History requirements
- Lockout reset timers
A vendor's employee turnover can present additional risks which are effectively mitigated by implementing some standard security practices. Consider the following technical controls:
- Separate user accounts should be created for each vendor employee that will be working on the network and should only be enabled when necessary.
- Each user account should only be granted the privileges necessary for their job function.
- Contracts should require vendors to notify the bank of any turnover.
Periodic reviews should be scheduled and performed to ensure bank policy is being met.
Much time and money is required to develop and implement a comprehensive security program, and everyone within the organization shares some of the burden. Users are required to create complex passwords and change them frequently. IT staff are in a constant balancing act working to implement effective security while not hurting usability. As the threat landscape changes, management reviews and updates security policies. To use a current buzz phrase, network vendors need to contribute their "fair share."
Vendors can bring a wide range of benefits to the table. They generally offer specialized knowledge and experience, quick deployments, and perhaps most importantly an outsider's perspective. Taking advantage of their specialized knowledge and experience often results in a more secure environment. As with all relationships, trust and communication are important to ensure good vendor relationships. However, it's a good idea to accompany that trust with a dash of verification.
