The CompTIA MSP Guidebook: Cultivating a Culture of Process E昀케ciency Policy: 1. The establishment and sustainment of vendor management is a process for identifying and assessing risks and threats with third-party providers that support the organization. 2. Company Name shall designate roles and responsibilities for those involved in vendor management. 3. Company Name shall establish management and technical support for vendor management. 4. Company Name shall develop, document, and disseminate this policy to all employees, contactors and users authorized to access organizational information systems, or systems operated or maintained on behalf of the organization. 5. The policy shall be reviewed and updated at least annually or when a major change impacts the validity of the policy and procedures. It shall be disseminated among personnel with appropriate job functions governed by this policy. 6. The policy shall be consistent with any changes to procurement rules or new or signi昀椀cantly changed contracting laws, regulations or policies. 7. The policy shall direct the development of a plan for vendor management risks associated with the organization’s business practices. 8. Policies, procedures, and vendor management documents shall be protected from unauthorized disclosure and modi昀椀cation. 9. Due diligence and periodic testing. Procedures: • Contract processes shall include vetting third parties and developing contractual language for inclusion into contracts. • Procedures will include review of third-party privacy policies and non-disclosure agreements. Vendor Management Controls and Processes: • Establish a process to determine where IT related processes are conducted on behalf of the organization. • Establish a process or processes to assess vendors that provide third-party IT services. • Assessments should be conducted at least annually and should include a process to mitigate vulnerabilities through a plan of action and milestone (POA&M) process. • The POA&M process should be reviewed by the appropriate organization team member(s) to ensure mitigations are e昀昀ective. • Document selected and implemented vendor management processes and controls in associated system documentation. Risk Management: • Identify risks based on risk tolerance levels and the organization’s mission and data sensitivity. • Assess risks based on applicable laws, regulations, and guidance. • Address and manage risks via corrective action process/POA&M process. • Monitoring of risks, risk tolerance levels and re-assessment and testing follows organizational processes. 30
CompTIA MSP Guidebook Page 29 Page 31