Metrics for Success: Assessing Vendor Compliance with PII

The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records and scores of brand reputations over the past decade. The outsourcing of business processes that, to varying degrees, involve the physical and logical storage of PII significantly magnifies this area of enterprise risk. A host of data-rich services are now delivered by vendors and sub-contractors with virtual and physical access to everything related to the employee and customer’s personal information. This company recognizes these risks and in concert with a take-no-prisoners review of its own internal controls and safeguards, has adopted an equally aggressive vendor risk management strategy reflective of its reliance upon multiple vendors and partners. These third parties are currently providing customer support, IT and benefits administration and other PII access-available support activities.

What is seen in the chart provided is an example of a recent status report on the firm’s top five vendors who house high PII volume with high confidentiality impact levels. These two factors combine to require special oversight.

There are 20 control points measured for compliance and nine are seen in this report. Brief descriptions follow.

Physical and logical access to PII is effectively controlled and tested– Audits and inspections actively test the scope and effectiveness of logical and physical access to stored data. This includes both notice and no-notice techniques.

Access personnel have confirmed and audited background investigations (BI)– BIs are the fundamental personnel integrity safeguard required of all third party vendors and partners and flows down to their subcontractors to whom access is pre-authorized. The key here is sample auditing of BI vendors’ processes used in the vetting process.

PII security policy, procedures and training is in place and tested as effective– This is the basic control infrastructure to document and communicate protection responsibilities.

Remote access is effectively controlled and monitored– These vendors have globally distributed organizations with remote connectivity required for service delivery. A variety of internal controls are associated with remote access administration.

Audit scope and frequency supports timely detection of vulnerability– Vendors are required to have on-going process audits by independent sources.

Breach detection tools are monitored 24/7 and address likely scenarios– There is an assumption of breach which imposes a risk-responsive suite of reliable, real-time detection tools and 24/7 monitoring. These third parties house the company’s most critical PII data so imposing full-time breach detection to contractual standard is deemed essential to the outsource security strategy.

Data breach notification and response procedures are in place and tested– This requirement closes the loop from breach detection to timely notification and response.

PII security program and contractual requirements are effectively managed– Assurance of competent management and corporate commitment to protection is a key element of the assurance program.

Findings for prior PII 3rd party inspections and reviews have been addressed as required– Having a scope this detailed is meaningless without assurance that all prior findings and noted defects have been addressed.

These audits are a continual process involving both Corporate and IT security teams. Findings are reported to the Audit Committee and sanctions are immediate for non-responsive vendors.


George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at The SEC draws on the knowledge of security practitioners, experts and strategic partners.