Vendor Management Guide: SIG/BCP Assessment Findings
Purpose: This guide is designed to help vendor managers understand, discuss, and remediate common findings from a security, governance, and business continuity assessment. For each issue, it explains the business risk, suggests corrective actions, identifies responsible parties, and outlines what evidence to request from the vendor to confirm the issue is resolved.
How to Use: When a vendor flags an item, use this table to understand the underlying risk and guide the conversation toward practical remediation. The "Suggested Owner" column indicates which vendor roles are typically best suited to address the issue.
Governance
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Crisis Team have not been identified | Without a defined team, response is delayed and uncoordinated during disruptions. | Identify key staff (e.g., leadership, IT, communications) responsible for managing incidents. | CEO or Operations Lead |
| Crisis Team roles have not been defined | Team members may have conflicting responsibilities or miss critical tasks because expectations are unclear. | Define and document specific responsibilities for each role (e.g., who declares a crisis, who talks to the media). | CEO or Crisis Team Lead |
| Employees are not aware of Crisis Team members | Staff confusion can lead to slow response or misinformation. | Communicate team details internally via policy or training. | HR / Comms Lead |
| Crisis Team members do not know their roles | The team is ineffective during a real event, as members are unsure of their immediate actions. | Conduct role-specific briefings and scenario walkthroughs. | Crisis Team Lead |
| Crisis Team operating plans do not exist | No structured guidance on what to do during crises. | Develop a basic crisis operating plan (checklists, contact lists). | Crisis Team Lead |
| Operating plans not shared with whole Crisis Team | Creates inconsistent responses across functions. | Circulate and store the plan in shared secure location. | CEO or Operations Lead |
| Control room/meeting location does not exist for Crisis Team | The Crisis Team lacks a dedicated space to coordinate responses and manage information flow, causing delays and confusion during an incident. | Identify or designate a physical or virtual “war room” for crisis coordination; include details in the continuity plan. | Senior Management |
Crisis Team have not been identified
Why It Matters: Without a defined team, response is delayed and uncoordinated during disruptions.
Suggestions for Remediation: Identify key staff (e.g., leadership, IT, communications) responsible for managing incidents.
Suggested Owner(s): CEO or Operations Lead
Crisis Team roles have not been defined
Why It Matters: Team members may have conflicting responsibilities or miss critical tasks because expectations are unclear.
Suggestions for Remediation: Define and document specific responsibilities for each role (e.g., who declares a crisis, who talks to the media).
Suggested Owner(s): CEO or Crisis Team Lead
Employees are not aware of Crisis Team members
Why It Matters: Staff confusion can lead to slow response or misinformation.
Suggestions for Remediation: Communicate team details internally via policy or training.
Suggested Owner(s): HR / Comms Lead
Crisis Team members do not know their roles
Why It Matters: The team is ineffective during a real event, as members are unsure of their immediate actions.
Suggestions for Remediation: Conduct role-specific briefings and scenario walkthroughs.
Suggested Owner(s): Crisis Team Lead
Crisis Team operating plans do not exist
Why It Matters: No structured guidance on what to do during crises.
Suggestions for Remediation: Develop a basic crisis operating plan (checklists, contact lists).
Suggested Owner(s): Crisis Team Lead
Operating plans not shared with whole Crisis Team
Why It Matters: Creates inconsistent responses across functions.
Suggestions for Remediation: Circulate and store the plan in shared secure location.
Suggested Owner(s): CEO or Operations Lead
Control room/meeting location does not exist for Crisis Team
Why It Matters: The Crisis Team lacks a dedicated space to coordinate responses and manage information flow, causing delays and confusion during an incident.
Suggestions for Remediation: Identify or designate a physical or virtual “war room” for crisis coordination; include details in the continuity plan.
Suggested Owner(s): Senior Management
Document Management
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Document backup processes do not exist | Loss of critical data halts operations. | Implement regular (daily/weekly) backups for essential data. | IT or Operations |
| Critical documents not backed up | Risk of permanent loss of key records. | Identify and maintain a prioritized list of "critical" documents to ensure they are included in backups. | IT or Document Owner |
Document backup processes do not exist
Why It Matters: Loss of critical data halts operations.
Suggestions for Remediation: Implement regular (daily/weekly) backups for essential data.
Suggested Owner(s): IT or Operations
Critical documents not backed up
Why It Matters: Risk of permanent loss of key records.
Suggestions for Remediation: Identify and maintain a prioritized list of "critical" documents to ensure they are included in backups.
Suggested Owner(s): IT or Document Owner
Financial
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Insufficient insurance coverage for disruptions | A major incident leads to financial losses (e.g., business interruption, ransom payments) that are not covered, threatening solvency. | Review business insurance policies with a broker to ensure adequate coverage for cyber, errors & omissions, and business interruption. | CFO / Finance Lead |
| Additional capital options not discussed | The company has no financial runway to survive a prolonged disruption, leading to insolvency. | Explore and document potential sources of emergency capital (e.g., line of credit, investor options). | CFO / Finance Lead |
| No short term (<3mth) financing plan exists | The company cannot meet immediate financial obligations (payroll, rent) during a disruption. | Develop a 13-week cash flow forecast and identify funds to cover essential short-term costs. | CFO / Finance Lead |
| No long term (>3mth) financing plan exists | The company cannot fund its recovery and return to normal operations after a major event. | Create a longer-term financial recovery strategy as part of the overall Business Continuity Plan. | CFO / Finance Lead |
Insufficient insurance coverage for disruptions
Why It Matters: A major incident leads to financial losses (e.g., business interruption, ransom payments) that are not covered, threatening solvency.
Suggestions for Remediation: Review business insurance policies with a broker to ensure adequate coverage for cyber, errors & omissions, and business interruption.
Suggested Owner(s): CFO / Finance Lead
Additional capital options not discussed
Why It Matters: The company has no financial runway to survive a prolonged disruption, leading to insolvency.
Suggestions for Remediation: Explore and document potential sources of emergency capital (e.g., line of credit, investor options).
Suggested Owner(s): CFO / Finance Lead
No short term (<3mth) financing plan exists
Why It Matters: The company cannot meet immediate financial obligations (payroll, rent) during a disruption.
Suggestions for Remediation: Develop a 13-week cash flow forecast and identify funds to cover essential short-term costs.
Suggested Owner(s): CFO / Finance Lead
No long term (>3mth) financing plan exists
Why It Matters: The company cannot fund its recovery and return to normal operations after a major event.
Suggestions for Remediation: Create a longer-term financial recovery strategy as part of the overall Business Continuity Plan.
Suggested Owner(s): CFO / Finance Lead
Operational
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Key risks not identified | The company is unprepared for likely threats (e.g., power outage, key person loss, supply chain failure). Unknown vulnerabilities hinder preparation. | Conduct a basic risk assessment (brainstorming session) to identify top 5-10 threats to the business. | BCP Lead / Ops Lead |
| Business impact not assessed | The company doesn't know which functions are most critical, so it can't prioritize recovery efforts effectively. | Perform a simplified business impact analysis (BIA). | Operations Lead |
| Workarounds do not exist for critical functions | Operations halt completely during a disruption because there is no manual or alternative way to function. | For each critical function, brainstorm and document temporary manual workarounds (e.g., paper forms, alternate processes). | Department Heads |
| IT team not involved in creation of workaround and recovery plans | Technical feasibility is not considered, making the planned workarounds or recovery steps impossible to implement. | Include IT in planning meetings and sign-off recovery steps. | IT Lead |
| No actions taken to prevent cyber attacks | High exposure to attacks or downtime. | Implement foundational security measures: antivirus, software patching, employee training, and secure configurations. | IT or Security Lead |
| Third Party disruptions could impact the company’s ability to operate | No fallback if vendors fail. | Identify critical vendors and discuss their BCP, or identify and qualify alternative suppliers. | Procurement Lead |
| Workarounds not in place for all critical services | Some parts of the business remain down even if others recover, preventing full operation. | Ensure all essential functions have defined backups. | Operations Lead |
| Vendors have not taken cyber prevention action | A breach at a vendor's site can directly impact your company's data and operations (supply chain attack). | Include basic cybersecurity requirements in vendor contracts and periodically request evidence of compliance. | Procurement Lead |
| No IT Continuity plans have been created | IT systems cannot be recovered in a timely manner, preventing the business from resuming operations. | Create a simple IT recovery plan (contacts, RTO/RPO). | IT Lead |
| Alternate business location not identified | Work halts during site loss. | Identify backup workspace or remote work option. | Ops Lead / Facilities |
| No relocation plan exists for employees and/or operations | Employees lack direction if site unusable. | Create a simple relocation plan covering logistics, communication, and setup at the alternate site. | Ops Lead / Facilities |
| Alternate suppliers not identified | A disruption with a primary supplier halts production or a key service. | Identify and pre-qualify at least one alternative for all critical suppliers. | Procurement / Ops Lead |
| Peers or backup partners not identified | For specific functions, there is no one who can provide temporary support or capacity. | Establish a mutual aid agreement or identify a partner company that can provide temporary support. | Senior Management |
| No plan exists for internal communications | Employees are left in the dark, rumors spread, and productivity plummets during a disruption. | Develop a communication plan outlining how to reach employees (mass notification, phone tree, status page). | Comms Lead / HR |
| No plan exists for external communications | Customers, partners, and the media receive inconsistent or damaging information, harming reputation. | Develop pre-drafted templates for key scenarios, contact lists and designate a single spokesperson. | Comms Lead |
| No plan to train employees on Business Continuity | Staff unprepared to act during crises. | Schedule and mandate annual BCP awareness training for all employees. | HR / BCP Lead |
| Business Continuity training not for all employees | Gaps in organizational knowledge create confusion and non-compliance during an incident. Critical staff may be unprepared. | Ensure training is included in onboarding and required for all staff, including senior leadership. | HR |
| Simulations not included in Business Continuity training | The plan is theoretical and untested; real response uncertain; gaps and issues are only discovered during a real crisis. | Conduct an annual tabletop exercise for the Crisis Team to walk through a realistic scenario. | Crisis Team Lead |
Key risks not identified
Why It Matters: The company is unprepared for likely threats (e.g., power outage, key person loss, supply chain failure). Unknown vulnerabilities hinder preparation.
Suggestions for Remediation: Conduct a basic risk assessment (brainstorming session) to identify top 5-10 threats to the business.
Suggested Owner(s): BCP Lead / Ops Lead
Business impact not assessed
Why It Matters: The company doesn't know which functions are most critical, so it can't prioritize recovery efforts effectively.
Suggestions for Remediation: Perform a simplified business impact analysis (BIA).
Suggested Owner(s): Operations Lead
Workarounds do not exist for critical functions
Why It Matters: Operations halt completely during a disruption because there is no manual or alternative way to function.
Suggestions for Remediation: For each critical function, brainstorm and document temporary manual workarounds (e.g., paper forms, alternate processes).
Suggested Owner(s): Department Heads
IT team not involved in creation of workaround and recovery plans
Why It Matters: Technical feasibility is not considered, making the planned workarounds or recovery steps impossible to implement.
Suggestions for Remediation: Include IT in planning meetings and sign-off recovery steps.
Suggested Owner(s): IT Lead
No actions taken to prevent cyber attacks
Why It Matters: High exposure to attacks or downtime.
Suggestions for Remediation: Implement foundational security measures: antivirus, software patching, employee training, and secure configurations.
Suggested Owner(s): IT or Security Lead
Third Party disruptions could impact the company’s ability to operate
Why It Matters: No fallback if vendors fail.
Suggestions for Remediation: Identify critical vendors and discuss their BCP, or identify and qualify alternative suppliers.
Suggested Owner(s): Procurement Lead
Workarounds not in place for all critical services
Why It Matters: Some parts of the business remain down even if others recover, preventing full operation.
Suggestions for Remediation: Ensure all essential functions have defined backups.
Suggested Owner(s): Operations Lead
Vendors have not taken cyber prevention action
Why It Matters: A breach at a vendor's site can directly impact your company's data and operations (supply chain attack).
Suggestions for Remediation: Include basic cybersecurity requirements in vendor contracts and periodically request evidence of compliance.
Suggested Owner(s): Procurement Lead
No IT Continuity plans have been created
Why It Matters: IT systems cannot be recovered in a timely manner, preventing the business from resuming operations.
Suggestions for Remediation: Create a simple IT recovery plan (contacts, RTO/RPO).
Suggested Owner(s): IT Lead
Alternate business location not identified
Why It Matters: Work halts during site loss.
Suggestions for Remediation: Identify backup workspace or remote work option.
Suggested Owner(s): Ops Lead / Facilities
No relocation plan exists for employees and/or operations
Why It Matters: Employees lack direction if site unusable.
Suggestions for Remediation: Create a simple relocation plan covering logistics, communication, and setup at the alternate site.
Suggested Owner(s): Ops Lead / Facilities
Alternate suppliers not identified
Why It Matters: A disruption with a primary supplier halts production or a key service.
Suggestions for Remediation: Identify and pre-qualify at least one alternative for all critical suppliers.
Suggested Owner(s): Procurement / Ops Lead
Peers or backup partners not identified
Why It Matters: For specific functions, there is no one who can provide temporary support or capacity.
Suggestions for Remediation: Establish a mutual aid agreement or identify a partner company that can provide temporary support.
Suggested Owner(s): Senior Management
No plan exists for internal communications
Why It Matters: Employees are left in the dark, rumors spread, and productivity plummets during a disruption.
Suggestions for Remediation: Develop a communication plan outlining how to reach employees (mass notification, phone tree, status page).
Suggested Owner(s): Comms Lead / HR
No plan exists for external communications
Why It Matters: Customers, partners, and the media receive inconsistent or damaging information, harming reputation.
Suggestions for Remediation: Develop pre-drafted templates for key scenarios, contact lists and designate a single spokesperson.
Suggested Owner(s): Comms Lead
No plan to train employees on Business Continuity
Why It Matters: Staff unprepared to act during crises.
Suggestions for Remediation: Schedule and mandate annual BCP awareness training for all employees.
Suggested Owner(s): HR / BCP Lead
Business Continuity training not for all employees
Why It Matters: Gaps in organizational knowledge create confusion and non-compliance during an incident. Critical staff may be unprepared.
Suggestions for Remediation: Ensure training is included in onboarding and required for all staff, including senior leadership.
Suggested Owner(s): HR
Simulations not included in Business Continuity training
Why It Matters: The plan is theoretical and untested; real response uncertain; gaps and issues are only discovered during a real crisis.
Suggestions for Remediation: Conduct an annual tabletop exercise for the Crisis Team to walk through a realistic scenario.
Suggested Owner(s): Crisis Team Lead
Information Security
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Does not follow any Security Framework | Security efforts are ad-hoc and inconsistent, leaving gaps that can be easily exploited. | Adopt a recognized framework (e.g., CIS Controls, NIST CSF) as a guide for building a security program. | CISO / IT Lead |
| Sensitive data and systems not classified and labeled based on criticality | Mismanagement of sensitive information. All data is treated the same, so security resources are wasted on non-critical data while critical assets are under-protected. | Create a data classification policy (e.g., Public, Internal, Confidential) and inventory critical systems. | CISO / IT Lead |
| Sensitive Data not Encrypted | If data is stolen or lost, it can be easily read and misused, leading to compliance breaches and reputation damage. | Implement encryption for sensitive data at rest (databases) and in transit (websites, VPNs). | IT Lead |
| No MFA required for critical systems | Stolen or weak passwords easily lead to unauthorized access to the most important systems (e.g., email, financial). | Enable Multi-Factor Authentication (MFA) on all remote access and privileged/admin accounts. | IT Lead |
| Systems not monitored for Security Threats | Intrusions and malicious activity go undetected, allowing attackers to dwell in the network and cause more damage. | Implement basic logging and monitoring, or use a Managed Detection and Response (MDR) service. | IT Lead |
| No Incident Response Plan in Place | When a security incident occurs, the response is chaotic and slow, increasing the scope and cost of the breach. | Develop a simple Incident Response Plan outlining steps to detect, contain, eradicate, and recover. | CISO / IT Lead |
Does not follow any Security Framework
Why It Matters: Security efforts are ad-hoc and inconsistent, leaving gaps that can be easily exploited.
Suggestions for Remediation: Adopt a recognized framework (e.g., CIS Controls, NIST CSF) as a guide for building a security program.
Suggested Owner(s): CISO / IT Lead
Sensitive data and systems not classified and labeled based on criticality
Why It Matters: Mismanagement of sensitive information. All data is treated the same, so security resources are wasted on non-critical data while critical assets are under-protected.
Suggestions for Remediation: Create a data classification policy (e.g., Public, Internal, Confidential) and inventory critical systems.
Suggested Owner(s): CISO / IT Lead
Sensitive Data not Encrypted
Why It Matters: If data is stolen or lost, it can be easily read and misused, leading to compliance breaches and reputation damage.
Suggestions for Remediation: Implement encryption for sensitive data at rest (databases) and in transit (websites, VPNs).
Suggested Owner(s): IT Lead
No MFA required for critical systems
Why It Matters: Stolen or weak passwords easily lead to unauthorized access to the most important systems (e.g., email, financial).
Suggestions for Remediation: Enable Multi-Factor Authentication (MFA) on all remote access and privileged/admin accounts.
Suggested Owner(s): IT Lead
Systems not monitored for Security Threats
Why It Matters: Intrusions and malicious activity go undetected, allowing attackers to dwell in the network and cause more damage.
Suggestions for Remediation: Implement basic logging and monitoring, or use a Managed Detection and Response (MDR) service.
Suggested Owner(s): IT Lead
No Incident Response Plan in Place
Why It Matters: When a security incident occurs, the response is chaotic and slow, increasing the scope and cost of the breach.
Suggestions for Remediation: Develop a simple Incident Response Plan outlining steps to detect, contain, eradicate, and recover.
Suggested Owner(s): CISO / IT Lead
Privacy
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Collects, stores or processes personal or sensitive data | The company is subject to data privacy regulations and faces legal and financial risk if this data is mishandled. | Maintain an inventory of what personal data is collected, why, and where it is stored. | Legal / Data Privacy Lead |
| No Privacy Policy exists | Customers and regulators have no visibility into how their data is handled, leading to distrust and non-compliance. | Draft and publish a Privacy Policy that explains data collection, use, and sharing practices. | Legal |
| Not compliant with Data privacy regulations | The company faces significant fines, lawsuits, and loss of business license for violating laws like GDPR, CCPA, etc. | Conduct a gap analysis against applicable regulations and create a project plan to address gaps. | Legal / Data Privacy Lead |
Collects, stores or processes personal or sensitive data
Why It Matters: The company is subject to data privacy regulations and faces legal and financial risk if this data is mishandled.
Suggestions for Remediation: Maintain an inventory of what personal data is collected, why, and where it is stored.
Suggested Owner(s): Legal / Data Privacy Lead
No Privacy Policy exists
Why It Matters: Customers and regulators have no visibility into how their data is handled, leading to distrust and non-compliance.
Suggestions for Remediation: Draft and publish a Privacy Policy that explains data collection, use, and sharing practices.
Suggested Owner(s): Legal
Not compliant with Data privacy regulations
Why It Matters: The company faces significant fines, lawsuits, and loss of business license for violating laws like GDPR, CCPA, etc.
Suggestions for Remediation: Conduct a gap analysis against applicable regulations and create a project plan to address gaps.
Suggested Owner(s): Legal / Data Privacy Lead
Human Resources (Security)
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Does not conduct Background Checks | The company is at higher risk of insider threat, fraud, or employing individuals not suitable for a position of trust. | Implement background checks as a standard part of the pre-employment process for all new hires. | HR Lead |
| No security and confidentiality training during new hire Onboarding | New employees are not made aware of their security responsibilities from day one, making them a vulnerability. | Incorporate mandatory security and privacy awareness training into the onboarding checklist. | HR / IT |
| No Offboarding procedure | Former employees retain access to systems and data, creating a significant security risk. | Create a standardized checklist to disable system access, recover company assets, and conduct exit interviews. | HR / IT |
| No Employee Cyber Training | Employees are the first line of defense but are not trained to recognize phishing or other common attacks. | Provide annual security awareness training that includes phishing simulation. | HR / IT |
Does not conduct Background Checks
Why It Matters: The company is at higher risk of insider threat, fraud, or employing individuals not suitable for a position of trust.
Suggestions for Remediation: Implement background checks as a standard part of the pre-employment process for all new hires.
Suggested Owner(s): HR Lead
No security and confidentiality training during new hire Onboarding
Why It Matters: New employees are not made aware of their security responsibilities from day one, making them a vulnerability.
Suggestions for Remediation: Incorporate mandatory security and privacy awareness training into the onboarding checklist.
Suggested Owner(s): HR / IT
No Offboarding procedure
Why It Matters: Former employees retain access to systems and data, creating a significant security risk.
Suggestions for Remediation: Create a standardized checklist to disable system access, recover company assets, and conduct exit interviews.
Suggested Owner(s): HR / IT
No Employee Cyber Training
Why It Matters: Employees are the first line of defense but are not trained to recognize phishing or other common attacks.
Suggestions for Remediation: Provide annual security awareness training that includes phishing simulation.
Suggested Owner(s): HR / IT
Physical Security
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| No Physical Access Controls | Unauthorized individuals can easily enter facilities, leading to theft, vandalism, or harm to employees. | Implement basic access controls (e.g., key cards, badges) for all entrances, with access logged. | Facilities Manager |
| No Visitor Management | There is no record of who is in the building and when, posing a security and safety risk. | Implement a visitor log system (digital or paper) where all guests must sign in and be escorted. | Facilities Manager / Reception |
| No physical surveillance | There is no deterrent for crime and no evidence collected if an incident occurs on-site. | Install security cameras at key entry/exit points and other sensitive areas. | Facilities Manager |
| No backup power for critical facilities | A power outage causes an immediate halt to all IT and operational functions. | Assess the need for a UPS (for short outages) or generator (for prolonged outages) for critical systems. | Facilities Manager / IT |
No Physical Access Controls
Why It Matters: Unauthorized individuals can easily enter facilities, leading to theft, vandalism, or harm to employees.
Suggestions for Remediation: Implement basic access controls (e.g., key cards, badges) for all entrances, with access logged.
Suggested Owner(s): Facilities Manager
No Visitor Management
Why It Matters: There is no record of who is in the building and when, posing a security and safety risk.
Suggestions for Remediation: Implement a visitor log system (digital or paper) where all guests must sign in and be escorted.
Suggested Owner(s): Facilities Manager / Reception
No physical surveillance
Why It Matters: There is no deterrent for crime and no evidence collected if an incident occurs on-site.
Suggestions for Remediation: Install security cameras at key entry/exit points and other sensitive areas.
Suggested Owner(s): Facilities Manager
No backup power for critical facilities
Why It Matters: A power outage causes an immediate halt to all IT and operational functions.
Suggestions for Remediation: Assess the need for a UPS (for short outages) or generator (for prolonged outages) for critical systems.
Suggested Owner(s): Facilities Manager / IT
Third Party Management
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| No Third Party Vendor Assessments | Blind to supplier risk exposure. The company has no visibility into the security practices of its vendors, creating supply chain risk. | Implement a process to assess critical vendors (e.g., using a questionnaire) before contract signing and periodically. | Vendor Manager / IT |
| No Third Party Cyber Requirements | Supply chain vulnerable to breaches. Vendors are not contractually obligated to maintain basic security, leaving your data with them unprotected. | Include security and data protection clauses in all vendor contracts. | Legal / Vendor Manager |
| No Subcontractor Oversight Standards | Nth-party risks unmonitored. A vendor can outsource your work to a less secure "fourth party" without your knowledge or consent. | Require vendors to notify you of subcontractor use and flow down the same security requirements. | Legal / Vendor Manager |
| Third Parties Incident Notification not required | Delayed awareness of vendor breaches. A vendor has a breach impacting your data, but they are not required to tell you, delaying your response. | Include a clause in contracts requiring vendors to notify you of security incidents within a specified timeframe. | Legal |
No Third Party Vendor Assessments
Why It Matters: Blind to supplier risk exposure. The company has no visibility into the security practices of its vendors, creating supply chain risk.
Suggestions for Remediation: Implement a process to assess critical vendors (e.g., using a questionnaire) before contract signing and periodically.
Suggested Owner(s): Vendor Manager / IT
No Third Party Cyber Requirements
Why It Matters: Supply chain vulnerable to breaches. Vendors are not contractually obligated to maintain basic security, leaving your data with them unprotected.
Suggestions for Remediation: Include security and data protection clauses in all vendor contracts.
Suggested Owner(s): Legal / Vendor Manager
No Subcontractor Oversight Standards
Why It Matters: Nth-party risks unmonitored. A vendor can outsource your work to a less secure "fourth party" without your knowledge or consent.
Suggestions for Remediation: Require vendors to notify you of subcontractor use and flow down the same security requirements.
Suggested Owner(s): Legal / Vendor Manager
Third Parties Incident Notification not required
Why It Matters: Delayed awareness of vendor breaches. A vendor has a breach impacting your data, but they are not required to tell you, delaying your response.
Suggestions for Remediation: Include a clause in contracts requiring vendors to notify you of security incidents within a specified timeframe.
Suggested Owner(s): Legal
Compliance and Audit
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| No security or compliance requirements | Gaps against standards or laws. There is no internal standard to measure against, leading to inconsistent and non-compliant practices. | Define and document internal security policies that are required for all employees and systems. | CISO / Legal |
| No Audits | Risks remain unidentified. There is no independent verification that security controls are in place and working effectively. | Conduct internal or external audits of key controls (e.g., access reviews, policy compliance) annually. | Internal Audit / BCP Lead |
| Not Regulatory Compliant | Legal exposure. The company operates outside the law, facing fines, legal action, and loss of operating licenses. | Identify all applicable regulations and create a compliance roadmap with assigned owners. | Legal / Compliance Lead |
No security or compliance requirements
Why It Matters: Gaps against standards or laws. There is no internal standard to measure against, leading to inconsistent and non-compliant practices.
Suggestions for Remediation: Define and document internal security policies that are required for all employees and systems.
Suggested Owner(s): CISO / Legal
No Audits
Why It Matters: Risks remain unidentified. There is no independent verification that security controls are in place and working effectively.
Suggestions for Remediation: Conduct internal or external audits of key controls (e.g., access reviews, policy compliance) annually.
Suggested Owner(s): Internal Audit / BCP Lead
Not Regulatory Compliant
Why It Matters: Legal exposure. The company operates outside the law, facing fines, legal action, and loss of operating licenses.
Suggestions for Remediation: Identify all applicable regulations and create a compliance roadmap with assigned owners.
Suggested Owner(s): Legal / Compliance Lead
Legal
| Attention Point | Why It Matters | Suggestions for Remediation | Suggested Owner(s) |
|---|---|---|---|
| Material Legal Disputes Exist | Ongoing litigation diverts resources, creates financial liability, and can damage the company's reputation. | Ensure the Crisis Team is aware of material disputes as they may be exacerbated by or impact response to a crisis. | Legal / Senior Management |
| Contractual Obligations affect business continuity or risk exposure | The company may be in breach of contract if it cannot deliver services during a disruption, leading to penalties. | Review key contracts for continuity clauses and ensure the BCP can meet those obligations. | Legal |
| Cyber Liability or Errors & Omissions insurance not in place | The company is fully liable for the financial costs of a cyber incident or professional error. | Purchase insurance policies tailored to cover cyber incidents and professional liability. | CFO / Legal |
| Involved in regulatory investigations in the last 3 years | This indicates potential underlying compliance issues that could resurface and require significant resources. | Document lessons learned from past investigations and ensure corrective actions are complete. | Legal |
Material Legal Disputes Exist
Why It Matters: Ongoing litigation diverts resources, creates financial liability, and can damage the company's reputation.
Suggestions for Remediation: Ensure the Crisis Team is aware of material disputes as they may be exacerbated by or impact response to a crisis.
Suggested Owner(s): Legal / Senior Management
Contractual Obligations affect business continuity or risk exposure
Why It Matters: The company may be in breach of contract if it cannot deliver services during a disruption, leading to penalties.
Suggestions for Remediation: Review key contracts for continuity clauses and ensure the BCP can meet those obligations.
Suggested Owner(s): Legal
Cyber Liability or Errors & Omissions insurance not in place
Why It Matters: The company is fully liable for the financial costs of a cyber incident or professional error.
Suggestions for Remediation: Purchase insurance policies tailored to cover cyber incidents and professional liability.
Suggested Owner(s): CFO / Legal
Involved in regulatory investigations in the last 3 years
Why It Matters: This indicates potential underlying compliance issues that could resurface and require significant resources.
Suggestions for Remediation: Document lessons learned from past investigations and ensure corrective actions are complete.
Suggested Owner(s): Legal