HITRUST Vendor Management Process: Detailed Checklist for Large Enterprises

The checklist is the steps used to build out a mature vendor management process. This is the process used for by the large Healthcare and Financial institutions. Smaller institutions with limited resources could consolidate this process to meet their budget constraints.  

Several key tasks that are specifically called out:

Identifying what risks are involved with your vendor relationships, risks could be in the following categories:

Loss of credit cards numbers, bank accounts or other sensitive information

Loss of data causing non-compliance with laws or regulations including, GDPR, HIPAA or other state or federal laws

If vendors have access to your internal systems, a breach at the vendor would allow an attacker to breach your environment.

Creating an Inventory of your vendors can be a large task, often the vendor list is pulled from accounts payable, but you also need to look at vendors that may not flow through this process. These are often SaaS applications such as Facebook, Dropbox, file sharing sites that are free or purchased by a business outside of the AP process. Vendor assessments take a lot of time and effort, only vendors that are at the highest risk should be allocated the most time for review.
Type of assessments:

Rarely conducted but provide the most assurance, they are very expensive and require a lot of time to plan, prepare and conduct.

Also rarely conducted, but provide the most value of assurance vs cost.

This is the most common form of vendor assessments. The main problem with these is that vendors will provide generic responses to the questions.

This is also very common for smaller organizations. You need to ensure the scope of the attestation is similar to the scope of the service offered to you from the vendor.

Vendor Management Checklist

  1. Establish which risks are related to your vendor’s relationships from the enterprise risk assessment process/document.
  2. Create an inventory of your vendors.
  3. For each vendor establish a business relationship owner and document a description of the vendor relationship as well as the appropriate vendor contact information. Review contracts for the right to audit and security language.
  4. Based on your risk in Item #1 establish a risk ranking system for vendors.
  5. Create an assessment strategy for each risk tier of vendors.
  6. Map your vendor population according to each risk tie.
  7. Once all your vendors are established and ranked, you will need to establish an assessment strategy. 
  8. Create or purchase a vendor assessment tool to store your assessment information.  
  9. Start the vendor assessments process for each vendor.
  1. Review the description of the vendor and schedule a discovery call with the vendor.
  2. Perform discovery call with the vendor.
  3. Send out the appropriate questionnaire to the vendor.
  4. Perform follow-up communications to have vendor complete the questionnaire. 
  5. Receive the questionnaire back from the vendor and evaluate the responses. 
  6. Follow up with the vendor to validate the missing controls. 
  7. Create a findings report based on established templates.
  1. Review the description of the vendor and schedule a discovery call with the vendor.
  2. Perform discovery call with the vendor and determine an onsite assessment time.
  3. Send out the appropriate questionnaire to the vendor.
  4. Perform follow-up communications to have the vendor and evaluate the questionnaire.
  5. Receive the questionnaire back from the vendor and evaluate the responses.
  6. Perform an on-site assessment to validate gaps and probe deeper into certain topics.
  7. Create a findings report based on established templates.
  1. Follow-up on remediation of high-risk findings identified with vendors.
  2. Once all assessments are completed a report is created showing vendors ranked by risk.
  1. Scope of systems of the new vendor is established. 
  2. Contracts are reviewed to ensure the right security attachments are added.  Right to audit, right to notify the vendor of a security breach are important clauses. Clause to pass onboarding security assessment is also an option. 
  3. Review any security attestations in place at the vendor. Verify the scope of services meets the attestations provided by the vendor. Review the scope of services to ensure they are covered in previous assessments.  If the attestations meet your requirements then skip #15 and #16 below. 
  4. Once the contract is signed start the vendor outreach process in steps 9.1a or 9.1b based on vendor risk. 
  5. Before go live all high and critical risks are remediated.
  6. Allow the vendor to go live. 
  1. Scope of systems of the vendor and impact is evaluated. 
  2. Review the vendor relationship with the business owner and determine the best course of action. Either look at termination process or have the business owner leverage their relationship with the vendor. 
  3. If the business owner does not agree to terminate the vendor or the vendor is still not cooperative, the business VP will need to sign off on the risk. 

Meet Our Team

James R. Redman, CPA, CISA, CISSP, HITRUST, CCSFP

Partner, Technology Consulting

James is a Cybersecurity and IT compliance professional with over 12 years of security consulting experience in addition to other professional experience. He leads readiness consulting and assessments related to a variety of IT compliance standards including but not limited to NIST, SOC 1/2/3, HITRUST, PCI, HIPAA and Sarbanes-Oxley.

Kate M. Siegrist, CPA, CISA, CRISC, HITRUST CCSFP

Partner, Technology Consulting

Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.

Let's start a conversation.

Disclaimer:

This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.

We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.

Share Post: