“Recent research from the IT Policy Compliance Group reveals that approximately one out of five enterprises does not invest sufficient effort to manage vendors and vendor-provided services effectively,” said Nikolaos Zacharopoulos, CISA, CISSP, senior IT auditor at DeutschePost-DHL and member of ISACA’s Guidance and Practices Committee, in a statement. “This means that enterprise requirements and standards are not properly incorporated into vendor contracts, ownership of information being handled by vendors remains unclear, and access to information is not guaranteed if the vendors go out of business.”
The guidance is timely as adoption of cloud services continues apace. A recent Cloud Industry Forum (CIF) survey of IT directors found that cloud and cybersecurity is at the top of the list when it comes to CIO concerns (84% of them say they are concerned about IT security breaches). However, less than half (45%) of companies recently surveyed said that they actually test their cloud vendors' security systems and procedures.
The ISACA publication emphasizes that IT vendor management is not solely IT’s responsibility, and clarifies the responsibilities of stakeholders within the enterprise.
“As companies worldwide are turning toward fewer – but much more integrated – vendors, they are benefiting from a single point of contact. However, they are simultaneously increasing risk to the enterprise, and that risk needs to be managed rigorously by all stakeholders,” said Zacharopoulos. “The COBIT 5 framework provides tested guidance to help them effectively govern these relationships so they deliver maximum value with minimum risk.”
The COBIT 5 framework typically applies to in-house IT, but increasingly businesses are borderless, with partners, vendors, customers and contractors all sharing or having access to the same set of mobile and/or cloud-based tools for communication and collaboration. That has the potential to open up massive security holes. By applying COBIT 5, enterprises can maintain a balance between realising benefits and optimising risk levels and resource use, because it takes in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders, ISACA noted.