A challenging risk management project that many clients are undertaking is vendor management. Ever since the Target breach, when an HVAC vendor’s employee clicked on a phishing email that allowed an intruder to compromise Target’s system, vendor management has been an issue to be addressed by company data privacy and security teams.

Vendor management is challenging because not all vendors present the same risk to the organization. For instance, the office furniture vendor would not be on the top of the list of risky vendors when determining management of data privacy and security risks.

Just like data mapping and classification to identify high risk data in the organization first, finding and classifying the highest risk vendors is the place to start. That is called vendor mapping. The vendors that are the highest risk to an organization are those that have such access to the highest risk data, such as human resources and benefits data, customer data, intellectual property data, financial data, and health data. The vendors that have access either through direct access to the organization’s system, or that the data is disclosed by the organization electronically or through paper records are mapped first.

Once vendors with access to the highest risk data are mapped, many companies review the data privacy and security measures those companies have in place through questionnaires to determine whether the measures are sufficient for access to the company’s highest risk data. If the company wishes to use the vendor for services going forward, many state laws and regulations require that if personal information is accessed by or disclosed to the vendor, a specific contractual measure must be in place with the vendor to provide adequate security measures in place to protect it. Therefore, privacy and security language in contracts with the vendors are important for risk management and compliance.

A helpful tip in mapping vendors for vendor management is to work with the finance team to capture which vendors are in the company’s accounts payable records, which can assist in quickly identifying the ones that are highest risk, such as (this is not an exhaustive list) information technology vendors, records management and shredding companies, payroll, benefits, accounting, legal, audit, and other professional services.