Click here to watch the video.

As a business or business owner, one thing to consider when creating a cybersecurity plan, is a vendor management program. Vendor management programs can help businesses address risks that arise when working with vendors and third parties that might be receiving sensitive information or business information.

A successful vendor management program should have three parts:

  1. Inventory
  2. Assess
  3. Address


What inventory means is reviewing all parties involved in the data handling of your business. This can include third-parties such as outsourced IT, cloud storage, suppliers, distributors and employee benefits providers. Some questions to consider are:

  • What information is your business sending to these parties?
  • How risky is that information?
  • How frequently is that information being transmitted?
  • What controls does your business have installed internally to address risks and further, what do you know the third party is doing to protect your data?

Doing an initial assessment of these parties is the first step in seeing how they are handling your business's, your employees' or even your customers' data.


The second step is to develop a questionnaire that uses targeted, tailored questions that are designed to gauge the risks that might arise with the transfer of information. We find that many businesses usually fear sending out these types of questionnaires as they are concerned that it may hurt the relationship between themselves and the vendor.

It should not however be viewed as an audit or an intense back and forth, but rather as a good opportunity to learn more about the vendor and create a positive experience. Once they have had a chance to answer your questions, compare their answers to industry standards, regulatory requirements and risk levels to come up with something that is going to add value to your business's understanding of how it is working with these parties.