Data & Vendor Management Strategy

Data & Vendor Management Strategy

Todd Larson

Data is as much an asset to a company as dollars and cents are on the balance sheet.  We live in a digital world where you can buy groceries, order a couch and trade stocks and bonds online.  Along with currency, data flows, it gets collected, processed, analyzed, traded and even resold itself.  In the digital world therefore, data is not just an asset it can be currency itself, a medium of exchange.  Trillions of 1’s and 0’s are right now moving at the speed of light facilitating transactions, information sharing and fueling the next evolution of the global service economy.Whew, If you found that last paragraph stressful then you realize that protecting your firm’s assets, it’s data, is a very important job.  Your firm’s data is customer data, proprietary data and intellectual capital related data.  Choosing how you share it, when you share it and with whom you share it is a central focus to any firm’s data management strategy.  Here are a few best practices related to secure data management strategy, particularly sharing it and treating it like the critical asset that it is.

Know where your data comes from, where it lives and where it is going and how it gets there.

Making sure data arrives secure, is stored secure and leave securely is a foundation for good data management.  Your customers and vendors should support secure transfer methods using the latest encryption standards to protect data in transit and at rest.  Whether it’s email, or other data transfer mechanisms there are ways to ensure secure transport.  Internal drive and hardware layer encryptions are best practice as well.  If your business partners can not ensure secure transport, consider finding ones that can.

Doing Onboarding and Regular Vendor Due Diligence

We all have trusted vendors.  IT vendors, hosted software solutions with sensitive data and even the cleaning company need regular evaluation.  Your vendors are an extension of your firm and you should treat them as such.  They have access sometimes physically and sometimes digitally to the castle itself-your data.  Evaluation of vendors on a risk based approach is best.  Risk in terms of the vendor’s market position, relationship with the firm and of course potential and actual access to sensitive data.  Know your vendors like you know yourself.  Do they have a sound cyber security program?  They better and you better be able to prove it.  Do they have disaster recovery capabilities and are there operations in general secure?  Collecting their SOC1 and 2 audit reports and evaluating their operational risk needs to be done as you onboard new vendors at minimally, annually thereafter.

Profile Sensitive data inside your firm-ensure proper access

Access management and making sure people have enough, but not too much permission within systems is key.  Employees and vendors alike.  Being able to do the job without the risks related to having too much access is the benchmark.  Ensuring this access is consistent and practical is important to any access management strategy. 

Mapping out places sensitive data lives is critical too.  Knowing what systems contain PII (Personal and Identifiable Information) for example and ensuring proper access controls on that system.  Sensative data lives in systems, on paper on desktops and in spreadsheets on shared drives.  It all needs to be inventoried and managed from a risk perspective.

Protect Sensitive data using tools

Sometimes accidents happen.  Human error is one of the biggest threats when it comes to data leakage.  Having file scanning tools to review data prior to email sending is one such tool.  Having other file scanning tools that proactively locate sensitive data located on common file shares is another.  Being secure means keeping security and awareness top priority at the firm.

Lastly, Getting every employee and vendor to sign off 

As noted sensitive data is everywhere and employees and vendors need access to do their jobs.  Make the responsibility formal and real-get all your employees and vendors.  Have them sign off on recognizing the identification and proper handling of data assets and computer systems in general.  Create and maintain an “Acceptable Use” policy that details the importance of data management and implications for it for employees.  Also, include language in contracts with vendors that detail SLA’s and the implications of sensitive data misuse.

Data is the lifeblood of your business and it’s a digital jungle out there.  Knowing the lifecycle of data, how it gets processed, accessed, stored and shared is very important.  The firms that understand that and treats customer data as the sacred asset it is truly understand the most important thing their customers value.  Trust. For more information let’s talk.

About the Author:

Todd joined Sentinel Benefits & Financial Group in 2015. As Chief Information Officer and Chief Information Security Officer, he leads the Information Technology team overseeing the firm’s software development, infrastructure, information security and systems support teams. 

Thank You to Our Chapter Partners