6.3.3. Vendor Monitoring

💡 First Principle: Vendor assessment isn't a one-time event — vendors' security postures change over time. Staff turnover, technology changes, and financial pressures can all degrade a vendor's security. Ongoing monitoring ensures that the security standards that existed when you signed the contract are still being maintained.

Continuous monitoring — automated tools that track vendor risk scores, breach disclosures, compliance status, and security ratings in real time. Security rating services (BitSight, SecurityScorecard) provide continuous external assessment by scanning vendors' public-facing infrastructure for vulnerabilities, misconfigurations, and compromised credentials. These scores give early warning of deteriorating vendor security before it results in an incident.

Periodic review — scheduled reassessment of vendor security posture: annual audits, updated questionnaires, refreshed SOC reports, and evidence of remediation for previously identified issues. Periodic reviews should be more thorough than continuous monitoring — they assess internal controls that external scanning can't see.

Incident notification requirements — contractual obligation for vendors to notify you within a defined timeframe (typically 24-72 hours) when they experience a security incident that may affect your data. Without this requirement, you might not learn about a vendor breach until it's public news — weeks or months later. The notification should include scope of impact, data affected, remediation actions taken, and contact information for their incident response team.

Exit strategy — a documented plan for transitioning away from a vendor. Includes data return/destruction requirements, access revocation procedures, timeline for migration, knowledge transfer, and contractual obligations during the transition period. If a vendor's security degrades beyond acceptable levels, or if the vendor faces financial instability, you need to be able to leave without losing data or operational capability. Test the exit strategy periodically — don't wait for a crisis.

⚠️ Exam Trap: Vendor monitoring includes both automated (security rating services) and periodic (annual audit) approaches. If a question asks how to continuously monitor vendor risk, security rating services or continuous monitoring tools are the answer, not annual questionnaires alone.