Asking Vendors the Right Questions About Data Protection

At a recent ATLIS webinar, industry experts were invited stock share a "Cybersecurity Update" for our community. As the webinar came to a close, a vital question remained unanswered in the chat, so we followed up with our panelists for an answer. In this post, you will find responses from Buddy Pitt, Director of Technical Development for the Network Support Company, and Alex Inman, Founder and Senior Collaborator for Educational Collaborators, on asking vendors the right questions about data protection.  [10-minute read; video archive included in resources]

What are the best questions to be asking our vendors to ensure that we are getting the information about security or prevention measures they have in place, their data retention policies, etc.?


Buddy Pitt
Director of Technical Development
Network Support Company

Here's a process I recommend for this:

First, identify vendors that have access to “Private Data” or have physical/digital access to your network.

Next, see if there are any mitigation steps needed to reduce the risk level (inherent risk is what you start with, residual risk is what is left after your mitigation steps have been implemented). If the residual risk is still considered “high,” then you want to engage the vendor to see how they are keeping that private data secure.

Vendors will not give you a detailed descriptions of how they secure your data because that would, as a practice, only introduce more risk.So what you are looking for is a statement from a third party auditor certifying that their processes and procedures are effective at mitigating risk. This is normally in the form of a SSAE16 SOC2 Type II certification. A Type I certification is only a point in time audit. The Type II certification has a “look back” period where the auditors can look at logs or activities and ask the vendor to produce evidence that they followed an effective process during an event. This can be anything from a cyber incident response to an employee termination process or anything in-between. The auditors at the end will write up a report for the company they audited and provide a statement about the outcome. Most vendors will not provide the full SOC report, only the statement of compliance.

headshotAlex Inman
Founder and Senior Collaborator
Educational Collaborators

I totally agree with Buddy's response above. For clarity's sake, I would add to be sure you receive and read the Privacy Statement from your vendors. That will likely help you identify specific questions or scenarios to investigate using Buddy's methodology.


ATLIS, Cybersecurity Update, webinar video archive, 2 December, 2020.

Share this post:

Comments on "Asking Vendors the Right Questions About Data Protection"

Comments 0-5 of 0

Please login to comment