Here in the Pacific Northwest, many businesses act as third-party vendors for major tech companies.
One of the challenges of being in that role is figuring out how to comply with their advanced cybersecurity requirements, or worse, dealing with a random audit from your client.
Take Microsoft, for example. With so many verticals — software, enterprise cloud, hardware, gaming, and so on — the Redmond giant relies upon an army of smaller companies to supply the products and services their employees need. They’re also under constant scrutiny from customers, regulators, and the media.
Because of this, Microsoft and similar organizations have strict rules and practices for third-party vendors. And when they conduct an audit, the requirements vendors must show evidence they are meeting are extremely detailed.
How detailed? Here are some actual requirements for vendors from a large company in all their complex, legally approved glory:
All [company information] deleted by Vendor will be deleted, (a) in accordance with the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014, (b) through degaussing of magnetic media in an electromagnetic flux field of 10,000+ Gauss, © by rhedding or mechanical disintegration that results in particles smaller than 2x2 mm, or (d) through such other standards [company] may require based on the classification and sensitivity of information.
Vendor will not subcontract or delegate any of Vendor’s obligations under this Security Policy to any subcontractors, affiliates, or delegates (collectively, “Subcontractors”) without [company’s] prior written consent. Notwithstanding the existence or terms of any subcontract or delegation, Vendor will remain responsible for the full performance of Vendor’s obligations under this Security Policy. The terms and conditions of this Security Policy will be binding upon Vendor’s Subcontractors and personnel. Vendor will (a) ensure that Vendor’s Subcontractors and
personnel comply with this Security Policy, and (b) be responsible for all acts, omissions, negligence, and misconduct of Vendor’s Subcontractors and personnel.
Before disposing (in any manner) of any hardware, software, or any other media that contains, or has at any time contained, [company information], Vendor will perform a complete forensic destruction of the hardware, software, or other media so that none of the [company information] can be recovered or retrieved in any form. Vendor will perform forensic destruction in accordance with the standards [company]] may require based on the classification and sensitivity of the [company information].
- 2.4.1 Vendor will not sell, resell, donate, refurbish, or otherwise transfer (including any sale or transfer of any such hardware, software, or other media, any disposition in connection with any liquidation of Vendor’s business, or any other disposition) any hardware, software, or other media that contains
These are just some of the more technical requirements an audit will dig into. There will be specific requirements about labor practices, ethical conduct, and environmental/social standards that you will need to provide evidence you are following as well.
In other words, it’ll be a lot of work just to show you should still have work.
Surviving a vendor audit
If you’re a small or mid-sized business acting as a third-party vendor for one of the big boys — or are looking to become one — responding to vendor audits quickly and factually is one of your most important jobs.
It’s also one of the most tedious, time-consuming, and stressful things you routinely need to do.
That’s why using a managed IT services provider (MSP) to respond to vendor audits is something you should consider. Here’s six reasons why:
1. Expertise in audit compliance
MSPs know how to manage IT environments that align with specific compliance requirements of major vendors like Microsoft. They also stay current on evolving vendor standards, licensing models, and compliance frameworks.
2. Streamline process
MSPs can perform pre-audit checks to ensure your systems and documentation are in order before the audit, as well as centralize and organize necessary data for accurate and timely information during the audit.
3. Risk mitigation
MSPs identify and address potential gaps in compliance that could trigger penalties or legal issues, and can reduce the likelihood of bad audit findings by continuously monitoring your IT systems.
4. Lower costs
MSPs help optimize software licensing so you only pay for what you need, and by managing the audit process for you, they’re able to reduce disruptions to your business.
5. Vendor relationship management
MSPs can act as a go-between for you and the company you’re a vendor for, as well as negotiate on your behalf.
6. Post-audit support
If an audit reveals non-compliance, MSPs can quickly implement corrective actions for you and help establish processes that maintain compliance and prepare you for future audits.
Cost of doing business
When you’re a third-party vendor, audits are a cost of doing business. You are an extension of another company, and need to stay within their good graces by following their technical and operational expectations.
Working with a managed IT services provider for vendor audits can ensure your business is consistently compliant and prepared to answer any tough questions you’re asked and keep your business prepared for future audits.
