Your Vendor, Your Responsibility: 10 Key Elements for Vendor Selection Criteria

Supplier and Vendor Vetting is a critical security activity that is sometimes treated lightly by even the most secure organizations.  If you share client data with your vendors, it is imperative that they have at least the same level of security as your organization.

Vetting activity can be performed in house or can be outsourced to an independent third party.  The latter approach facilitates interviews and the vetting process. Vendor screening should apply to all potential suppliers with whom an organization does business. Your clients rely on you to protect their sensitive information, so it’s important that your vendors have safeguards in place to keep this information safe and secure.  In addition, all security compliance standards and the law requires due diligence of business owners who have access to, maintain, or store a consumer’s sensitive information.  If it’s your vendor and there is a security issue it is YOUR fault.  The following provides key elements to review when considering vendors.

Years in Business, Sustainability and Financial Stability

You need to know that the company is established and ready to service your requirements. How many years have they been in business.  Examine their web site and check their professionalism.  Google their address to ensure the address is not someone’s home address. Look to Dun and Bradstreet as a source to determine the financial stability of the vendor. The last thing you want is to have to change your vendors because one of them has gone out of business, especially at an inopportune time.  If you have access, check the Department of Labor’s Federal Disbarred List.  If the government will not work with the vendor then you shouldn’t either.


Do they do background checks on employees and are they bonded?  If someone is regularly coming to your facility to perform maintenance it is good to know that a background check was performed.  If not, it questions their due diligence. Also verify that rescreening is performed. A ten year old background check may not be that valuable.  Also check to see if the vendor is subcontracting your work to someone else.

Ability to Consistently Supply Products or Services

You need your products and services on a regular basis. A vendor that has supply issues will affect your ability to service your customers and this is an important factor when selecting a vendor.  You don’t want to have to switch to a new vendor with limited time to verify them because you need the product right away. A reference can help determine this.

Substantial catalogue of products or range of services

This not only indicates an established vendor of size, but also means that you have flexibility in your ordering. As your needs grow, you can stay with the same vendor and minimize the number of vendors you are dealing with which reduces risk.

Availability of Internal Experts that can Answer Questions You May Have

Again, this is very pertinent if you are purchasing a high value service, but we all need experts at some time or other.

Testimonials and references.
These are valuable to determine if the vendor is as reliable and as they purport to be. Check at least two references.

Adherence to Federal Regulations

Do they adhere to government regulations?  Do they have any certifications e.g. ISO?  If interfacing with your systems how do they address security?  Are they FISMA compliant or if a cloud provider are they FEDRAMP compliant?  If they have not heard of these regulations then that is a big warning sign.  Ask for copies of their HIPAA, PCI, SOC or FISMA Audits.  They should oblige as long as you sign an NDA.

Customer Service

Always an important part of any relationship. What is the availability of ordering and help staff? Are they cordial, professional and easy to contact? No one likes hanging on the end of the phone being told by a machine, “your call is important to us” !

Product Fit for Use

Define your requirements and ensure they state in writing that they can provide the product you need. Also, examine their warrantees to determine whether the risk is on them or you.


Make them sign off in writing that they meet your security requirements.  We use a formal checklist that includes all of the controls they agree to and make them sign it.

Don’t risk being at fault for your vendor’s lack of security.  Have BSC Systems perform an independent review of your vendors – getting started is as easy as requesting a free consultation.