Vendor Compliance Program

The ISG-VCP Managed Program offers a systematic and uniform method for establishing an Information Security Vendor Compliance Program (VCP). This program features a detailed Concept of Operations (CONOPS), which sets forth clear protocols to periodically validate that vendors comply with the Minimum-Security Requirements (MSR) formulated and instituted by the ISG-VCP Managed Program. These requirements are tailored to align with your organization’s specific security policies and standards, taking into account all pertinent legal and regulatory requirements.

Validate the Security Posture of your Vendors

Secure your business in today's interconnected world with our Vendor Compliance Managed Program. Our expert Information Security Analysts will assess your vendors' security measures, identify gaps, and develop remediation action plans to ensure they meet your organization's data protection and privacy standards. Contact us today to safeguard your business, elevate your security strategy, and reinforce uninterrupted business continuity.

Vendor Security Compliance Certification

Following internal due diligence, the ISG-VCP team conducts an in-depth security assessment against a scoped baseline of Minimum-security Requirements. Additionally, the ISG-VCP team checks for any past security incidents, evaluates their reputation within the industry, and archives evidence of compliance with key controls, such as penetration tests, policies & standards, vulnerability & patching, and periodic access reviews.

Contract Review & Negotiation

The ISG-VCP team will sometimes require that Vendors include clauses in service agreements and request for proposals requiring vendors to maintain a high level of security, notify Transit of any breaches, and allow for regular security assessments.

Procurement Risk Review

Prior to evaluating vendors for adherence to established policies and standards, a comprehensive review of the solutions is conducted to confirm their suitability and effectiveness. This approach is akin to the “Secure-by-Design” principle, which mandates the integration of security measures right from the stage of specifying requirements.

Vendor Offboarding

The offboarding process is a critical step in maintaining a secure information environment. It involves securely and systematically removing a vendor’s access to organizational systems and data when their services are no longer required, or their contract has ended. This process includes revoking credentials, ensuring the return or secure disposal of any organizational assets, and conducting a thorough security review to ensure that no remaining security risks exist. It is important to ensure that former vendors cannot access sensitive information or systems. The offboarding process may also involve transferring services or functions to another vendor or bringing them back in-house. Planning and executing this process carefully is essential for a successful transition.

Modernize your Organization's Information Securty Programs

Schedule an overview session with a Client Success Specilaist to begin your journey towards a difference in security service providers
Schedule an Overview Session
Document

Composable Security. Consistent Work Quality. Better Outcomes

Integrate advanced Managed Detection & Response (MDR) with Governance, Risk Management, and Compliance (GRC) management for a comprehensive cybersecurity solution that strengthens risk management, ensures regulatory compliance, and enhances incident response efficiency. This unified approach delivers proactive threat mitigation, streamlined compliance processes, and swift, strategic incident handling, transforming cybersecurity challenges into strategic assets for secure, resilient business operations.

GET STARTED