Vendor Security Alliance tweaks auditing system to be GDPR compliant

The non-profit alliance has added GDPR compliance to its yearly vendor auditing system and announced it will be taking on new members for the first time.
Written by Asha Barbaschow, Contributor

Vendor Security Alliance (VSA), a coalition of companies aiming to improve internet security, has announced it will be conducting outsourced audits for member companies that satisfy the third-party requirement of the General Data Protection Regulation (GDPR).

The GDPR comes into effect in May 2018, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where each piece of data is stored.

Organisations that fail to comply with the regulation requirements could face administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

One of the requirements under the GDPR is that companies must carry out effective due diligence for vendor management.

According to VSA, this means that companies are responsible for making sure their vendors are risk-evaluated appropriately. If there is a security breach for a company's vendor and the company had not carried out effective vendor due diligence, the company will be found liable.

The VSA questionnaire is an accepted industry standard that the alliance said can be relied on to satisfy the vendor management due diligence component of the GDPR.

The yearly questionnaire is expected to be used to benchmark vendor cybersecurity risk, and aims to establish clear expectations for vendors.

"The main focus of the questionnaire is to protect data no matter where it is," VSA explained in a statement. "It's centred around the basis of flexible standard."

The questionnaire asks the vendor initially what type of data they handle, and then works through the steps to ensure they have appropriate controls for that type of data. For example, an email newsletter service that collects email addresses would have a lower bar than a service doing financial transactions that collects credit card numbers.

VSA launched at the end of September 2016 as the side project from Ken Baylor, Uber's head of compliance.

It caught on more quickly than Baylor and his co-founders expected -- around 8,000 companies had downloaded its survey by February 2017.

VSA kicked things off initially with nine member companies -- Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb.

However on Monday, VSA also announced that it is officially accepting new members for the first time since launch, with Adobe, Coinbase, Rapportboost.ai, Whistic, Taskus, and Replicated also joining the coalition.

Any company can download the questionnaire for free; however, member companies are included in the working group that creates the questionnaire and they also have access to VSA's proprietary scoring mechanism for applying the questionnaire to vendors.

Member companies also have access to the list of every vendor audit that the VSA has completed, and if the member company has a list of 30 vendors they need to audit, they can send the list to the VSA and find out which ones have already been audited.

Membership is priced at $10,000 per year, however.

VSA is also partnering with the Whistic SaaS platform to conduct vendor audits on behalf of members.


Vendor Security Alliance scales up efforts, aims for faster vendor vetting

The non-profit is aiming to help companies evaluate the security risk associated with different third-party vendors within a matter of minutes.

How to protect your organization with strong service level agreements

One of the most critical aspects of working with tech vendors is establishing and managing solid SLAs. Here's a look at key details and areas of service IT should hammer out before signing a contract.

EU General Data Protection Regulation (GDPR): The smart person's guide (TechRepublic)

Enforcement of the GDPR goes into effect May 25, 2018, and will be applicable to any company that transacts with EU citizens, regardless of the location of the business.

Microsoft offers a free assessment of your enterprise's GDPR readiness (TechRepublic)

The General Data Protection Regulation (GDPR) goes into effect soon, but few enterprises seem completely ready for it. Now's the time to assess your readiness for this law before it's too late.

Vendor advice: How to separate the signal from the noise (TechRepublic)

Tech vendors tend to use terms like "best practices" pretty loosely when promoting their solutions. Here's how to separate what's real from what's marketing fluff.

Editorial standards