HITRUST Vendor Management Process: Detailed Checklist for Large Enterprises

The checklist is the steps used to build out a mature vendor management process. This is the process used for by the large Health care and Financial institutions. Smaller institutions with limited resources could consolidate this process to meet their budget constraints.  In addition to the information below, more can be found on our HITRUST CSF Certification page. 

Several key tasks that are specifically called out:

Identifying what risks are involved with your vendor relationships, risks could be in the following categories:

Financial
Loss of credit cards numbers, bank accounts or other sensitive information

Regulatory Risk
Loss of data causing non-compliance with laws or regulations including, GDPR, HIPAA or other state or federal laws

Data breach risk
If vendors have access to your internal systems, a breach at the vendor would allow an attacker to breach your environment.

Creating an Inventory of your vendors can be a large task, often the vendor list is pulled from accounts payable, but you also need to look at vendors that may not flow through this process. These are often SaaS applications such as Facebook, Dropbox, file sharing sites that are free or purchased by a business outside of the AP process. Vendor assessments take a lot of time and effort, only vendors that are at the highest risk should be allocated the most time for review.

Type of assessments:

Onsite assessments
Rarely conducted but provide the most assurance, they are very expensive and require a lot of time to plan, prepare and conduct.

Virtual assessment
Also rarely conducted, but provide the most value of assurance vs cost.

Questionnaire
This is the most common form of vendor assessments. The main problem with these is that vendors will provide generic responses to the questions.

Review external compliance attestations
This is also very common for smaller organizations. You need to ensure the scope of the attestation is similar to the scope of the service offered to you from the vendor.

Vendor Management Checklist

Process – Start of the process

1. Establish which risks are related to your vendor’s relationships from the enterprise risk assessment process/document.
2. Create an inventory of your vendors.
3. For each vendor establish a business relationship owner and document a description of the vendor relationship as well as the appropriate vendor contact information. Review contracts for the right to audit and security language.
4. Based on your risk in Item #1 establish a risk ranking system for vendors.
5. Create an assessment strategy for each risk tier of vendors.
6. Map your vendor population according to each risk tie.
7. Once all your vendors are established and ranked, you will need to establish an assessment strategy. 
8. Create or purchase a vendor assessment tool to store your assessment information.  
9. Start the vendor assessments process for each vendor.

Questionnaire-based assessments

1. Review the description of the vendor and schedule a discovery call with the vendor.
2. Perform discovery call with the vendor.
3. Send out the appropriate questionnaire to the vendor.
4. Perform follow-up communications to have vendor complete the questionnaire. 
5. Receive the questionnaire back from the vendor and evaluate the responses. 
6. Follow up with the vendor to validate the missing controls. 
7. Create a findings report based on established templates.

Onsite based assessments

1. Review the description of the vendor and schedule a discovery call with the vendor.
2. Perform discovery call with the vendor and determine an onsite assessment time.
3. Send out the appropriate questionnaire to the vendor.
4. Perform follow-up communications to have the vendor and evaluate the questionnaire.
5. Receive the questionnaire back from the vendor and evaluate the responses.
6. Perform an on-site assessment to validate gaps and probe deeper into certain topics.
7. Create a findings report based on established templates.

Remediation

1. Follow-up on remediation of high-risk findings identified with vendors.
2. Once all assessments are completed a report is created showing vendors ranked by risk.

New vendor onboarding

1. Scope of systems of the new vendor is established. 
2. Contracts are reviewed to ensure the right security attachments are added.  Right to audit, right to notify the vendor of a security breach are important clauses. Clause to pass onboarding security assessment is also an option. 
3. Review any security attestations in place at the vendor. Verify the scope of services meets the attestations provided by the vendor. Review the scope of services to ensure they are covered in previous assessments.  If the attestations meet your requirements then skip #15 and #16 below. 
4. Once the contract is signed start the vendor outreach process in steps 9.1a or 9.1b based on vendor risk. 
5. Before go live all high and critical risks are remediated.
6. Allow the vendor to go live. 

Non-responsive vendor or uncooperative vendor

1. Scope of systems of the vendor and impact is evaluated. 
2. Review the vendor relationship with the business owner and determine the best course of action. Either look at termination process or have the business owner leverage their relationship with the vendor. 
3. If the business owner does not agree to terminate the vendor or the vendor is still not cooperative, the business VP will need to sign off on the risk.