Vendor Risk Assessment and Onboarding Procedure (SEC-PROC-005)
1. Purpose
To detail the process for assessing a new vendor’s security posture before engagement to ensure they meet the company’s security requirements.
2. Scope
This procedure applies to all new vendors that will handle, store, process, or transmit company data, or will be connected to the company’s network or systems.
3. Overview
This procedure outlines the steps for conducting due diligence on prospective vendors. It includes initiating the request, classifying the vendor’s risk level, performing a security assessment tailored to that risk level, and obtaining formal approval before a contract is signed.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Business Owner | Initiates a new vendor request and provides details about the services and data involved. |
| 2 | Security Team | Classifies the vendor’s inherent risk level (e.g., High, Medium, Low) based on the nature of the service and data access. |
| 3 | Security Team | Performs due diligence activities based on the risk level. This may include sending security questionnaires, reviewing SOC 2 reports, or conducting technical calls. |
| 4 | Security Team | Documents the findings in a Vendor Risk Assessment Report and provides a recommendation. |
| 5 | Business Owner/Management | Reviews the assessment report and formally approves or denies the vendor engagement. |
| 6 | Legal/Procurement | Executes the contract only after receiving formal approval from the security review. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-6 | SOC 2 | CC9.2 |
| 1-6 | HIPAA/HITECH | 45 CFR § 164.308(a)(1)(ii)(A) |
6. Artifact(s)
A completed Vendor Risk Assessment Report.
7. Definitions
SOC 2 Report: A report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Business Owner | Initiates the vendor request and acts as the primary point of contact for the vendor relationship. |
| Security Team | Conducts the risk classification and due diligence assessment and produces the final report. |
| Management | Provides final approval for vendor engagement based on the risk assessment findings. |