Creating a vendor management policy is an essential part of an effective IT risk management plan. A vendor management policy is also a requirement under several regulatory compliance models which affect colleges and universities in addition to corporations.
It began to occur to me in recent weeks while writing about the new service provider audit program SSAE 16 and my last post on help desk outsourcing companies there may be a large number of institutions operating without any formal IT controls in place to manage IT vendor related risks. If this is the case it would be very problematic for those institutions dependent on vendors for mission critical functions or high risk operations. And for me it would be particularly troubling given how often I mention using vendor management programs in various posts.
Vendor Management Policy Sample
So I decided to pull together a vendor management policy sample and make it available here. The Vendor Management Program sample is available here free to subscribers via a secure link that will be emailed to you for immediate download.
The Vendor Management Program sample is modeled after a comprehensive vendor management policy for regulated industries such as banking, healthcare, and higher education.
The sample includes:
- Standard Policy framework
- Roles and responsibilities
- Classification of vendor criticality rating model
- Vendor risk management approach
- Vendor selection criteria
- Contract recommendations
- Ongoing vendor monitoring
The Vendor Management Program is intentionally very detailed and includes several vendor management policy templates and samples so you can quickly setup a vendor management program of your own with the confidence it should satisfy your compliance objectives.
The Vendor Management Program is a MS Word document so you can easily make changes as you adjust the template to fit you policy model and specific needs.
This approach was chosen in order to support the diversity of compliance landscapes found in higher education which includes several consumer protection and healthcare regulations and be useful to corporate CIO readers of this blog.
Implementing Vendor Management
Depending on the existence or thoroughness of other policies or procedures at your institution related to procurement, purchasing, enterprise governance and compliance simply delete the unnecessary sections or simplify the language to fit your organization’s policy framework. You may even want to discuss with your CFO the option to broaden the program to all vendors, not just IT vendors, which is advisable since it would only change a few elements while the basic model should still work.
I realize this can seem overwhelming at first because there is a lot to take in especially if you don’t have anything in place today. So consider starting with reading through the sample a few times noting the policy areas that sound useful to you right of the bat. Have a discussion with your CFO and compliance officer to develop a shared strategy which may be to get something simple started based on your immediate concerns or the vendors that are more critical to your operations then build upon it once you gain some comfort.
Start by taking an inventory of all IT vendors and assigning a criticality rating to each of them. If you don’t already have BIA/BCP data, work with your peers to gather an initial recovery time objective (RTO) for each vendor to help validate the classification. Next focus on the most critical vendors or those representing the greatest risk to the institution. This gives you immediate benefits while allowing you to solidify your vendor management program before applying it to all vendors.
If your institution has additional compliance exposures or special circumstances be sure to incorporate those into your vendor management program. The areas where that is likely to be the case would be from vendors handling payment processing or other forms of financial transactions and from functions which constitutes status as a ‘covered entity’ or ‘business associate’ under HIPAA and HITECH.
I will certainly be referring back to vendor management policies and vendor management programs in the future as part of revisiting cloud computing service providers and IT outsourcing vendors and ways to improve performance and reduce risk. Meanwhile, don’t hesitate to drop me a note if something isn’t clear or if I have missed something.