IDG Contributor Network: Think of ‘insiders’ when drafting and implementing security policies

To build upon my previous articles about security threats posed by vendors, today we focus on a very specific and frequently overlooked element of vendor risk mitigation: vendor personnel working within customer facilities and using customer systems. 

Most businesses today have security policies and procedures in place with regard to their own personnel.  Some even expressly extend those policies and procedures to their agents, contractors and vendors.  Few, however, take the time to truly address the issue of ensuring vendor personnel are actually presented with and bound by those policies and procedures while performing services for the customer.  Fewer still include specific language in their vendor agreements that make this important concept clear.

Below, I discuss some key issues about this risk, real-world examples of this risk playing out and I also provide example language for how this risk can be better mitigated in vendor contracts.  In addition, while this post focuses on vendor personnel, don’t forget temporary workers and contingent workforce personnel.  They should also be considered in mitigating this risk.

Almost every business has a range of vendors and vendor personnel on site at their facilities, rendering services on an ongoing basis.  In some instances, those personnel may be on site for weeks or even months using the customer’s systems, sitting in customer-furnished offices and walking around customer facilities.  As such, those personnel should be appropriately trained by customer staff and bound by the same security policies and procedures as the customer’s own personnel.