Working with vendors who perform specialized tasks has become a vital element of success for today’s businesses navigating an increasingly global economy. Several industries, such as information and medical technologies, rely heavily on vendor relationships to imagine, produce and sell products, or to deliver services.
Whether your business is just starting to build vendor relationships, or it is simply a matter of needing to streamline your vetting process, you may need some ideas about how and where to start.
One key tool to choosing the right vendor for each task or project is to perform a vendor assessment, which is a crucial step in the Service Design phase of the Information Technology Infrastructure Library (ITIL) set of practices for IT service management.
In today’s market, top vendor services include Managed Service Providers (MSPs), cloud hosting, ISP, Disaster Recovery-as-a-Service (DRaaS) and Unified Communication-as-a-Service (UCaaS), and are available to organizations everywhere. A vendor assessment, performed according to ITIL practices, is ideal for assessing vendors who offer these types of services and more.
What Is a vendor assessment?
After researching and gathering a healthy list of potential vendors, all promising to offer just what your organization needs regarding a specified service, it is time to verify which vendors are actually up for the tasks. Vendor assessments are also useful for incumbent providers of services so you can compare them to the market.
A vendor assessment allows you to review a list of vendors for an apples-to-apples comparison to ensure consistency for each prospective vendor business. This important step will help you narrow down a longer list of service providers to a far more manageable number of vendors while moving toward making a final decision.
Some vendors may seem like a perfect fit before placing them under closer review, but they may ultimately lack one or more important requirements addressed in the vendor assessment. On the other hand, many businesses proceed to take on vendors who run a smaller business that still has more room to grow and improve. In this case, it is important that the client business writes this factor into the contract, agreeing that the service provider will work toward optimal alignment.
In either case—and in any other case—a vendor assessment provides you with a set of standard points to help you make the best selection.
What are the key considerations for performing an informative and effective vendor assessment?
The key points and considerations under the Service Design phase of the ITIL practices offer a simple set of guidelines to help you learn what you need to know to determine which vendor companies will rise to the occasion.
Controls – Start a vendor assessment by determining whether the vendor follows some type of framework, such as the System and Organization Control Readiness Examination (SOC) framework, to ensure that they are following IT security best practices for internal and external controls.
One common example of this aspect of the assessment involves making sure there are controls in place to prevent someone from plugging in a USB, downloading data from your system, and walking away with it. Explore controls regarding ingress, egress and overall security.
Policies and procedures – Does the vendor company have actual written policies and procedures? Request to see a copy of their acceptable usage policy so you can review it. Some vendors tell clients that they have policies, then cannot produce proof of one, or they will send something boilerplate, clearly saved from Google. Make sure that each vendor can readily share a set of comprehensive and verifiably-updated and enacted policies and procedures.
Backup and Disaster Recovery/Business Continuity Plan (DR/BCP) – It is particularly important to review each cloud service vendor’s back up plan. A natural or manmade disaster can happen at any time and could put your data at great risk without a series of fail-safes from your vendor.
A few key questions to ask cloud service providers include the following:
- Do they have a backup?
- What is their uptime?
- If they have a disaster, what plans do they have in place for business continuity?
- What is their recovery plan and how long will it take to implement?
For MSPs, approach backup matters by asking the following questions:
- If they have access to your network, what data are they pulling down and keeping?
- Is your data safe when it’s on their servers?
- If the vendor has an issue that causes their service to go down or their facility location to close, such as a power outage, how do they plan to continue to service your account?
- What is their Business Continuity Plan (BCP)?
- Is their BCP written down, and when was the last time it was table tested?
- When was the last time they performed a business impact assessment?
- Do they have a backup site for an emergency location center?
- What are they doing to ensure that they can continue providing the services to you that they are contractually obligated to do?
A solid DR/BCP strategy is the sign of a diligent vendor who wants to make sure that your data and their services are always protected from disasters and readily available to you.
Security stance and maturity
Digging into each vendor’s security philosophy and stance is essential. As hard as it may be to believe, many businesses still believe a firewall and antivirus are more than enough to stay safe in today’s business environment. That reality passed more than eight years ago. Today’s far more effective trend in security focuses on layering. Make sure vendors create defense in depth and layers to gain a better understanding of what is being protected for each client and why.
Here are a few key questions to ask regarding security:
- How are they making sure that client data doesn’t walk out the door?
- How are they protecting data from a ransomware infection or anything else that can spread throughout your network?
- Do they carefully consider which employees should hold domain admin status?
Incident Response (IR) and past events
Data breaches have become increasingly, and unfortunately, common in today’s business landscape. Over the past 10 years, every business has likely experienced some type of intrusion, such as a data breach or a virus. Discuss this with each vendor to find out more about their Incident Response (IR) plan and how it works in their business. Talk to them about previous issues to learn how they handled them, what they learned from them, and how they can use those experiences to keep your system safe.
When you outsource your tasks to vendors, remember that they very likely outsource some aspects of their own business. It’s easy to think that a cloud vendor or MSP can do it all, but like you, they need reinforcements to streamline their operations too. Ask them what they outsource and who else has access to their network and ultimately your data. Your intended vendors may serve as middlemen between your business and their own actual service provider, so make sure to learn who is who.
The final takeaway for vendor assessments: Trust but Verify
In an ideal world, businesses could rely on a handshake and trust before entering into a contract with a vendor. Our real world requires the “trust but verify” approach. The complexities of the internet, as well as rampant cybercrime, dictates the need for vendor assessments, which also simply serve as an invaluable tool in getting to know your vendors better.
If you are planning an upcoming round of vendor assessments and need more assistance, our team is here and happy to offer additional ideas to put you on the right path to successful, secure and enduring relationships with your vendors.