Vendor Risk Assessment: Essential ComponentsComAir's Ramon Lipparoni on Steps to Mitigate Vendor Risks
Vendor risk management is becoming far more critical as companies in all sectors rely more on partners who have access to payment card data and other sensitive information, says Ramon Lipparoni, IT integration manager at ComAir, a South African airline. One critical step, he says, is conducting impromptu vendor audits.
"We're starting to have to manage our vendors a little bit more effectively with a little bit more vigilance around how vulnerable their systems are outside of our environment," Lipparoni says in an interview with Information Security Media Group. That includes scrutinizing the risk components of every vendor, including their PCI compliance, he says.
Impromptu audits are particularly valuable in assessing the security of vendors, he stresses. "You can learn a lot by visiting the vendor's location," he says. "From time to time we like to go out and do an impromptu audit and interact with them." He suggests creating a vendor-specific questionnaire for these audits.
Lipparoni was a speaker at PCI's Cape Town summit.
In this interview (see audio link below photo), Lipparoni also discusses:
- The importance of network segmentation;
- How to grant third-party vendors appropriate access to corporate systems;
- The technologies that can be used to manage vendor risks.
Lipparoni is the IT integration manager with ComAir. He has been in the IT business for the past 20 years. He has specialized in core business management and integration's management arena, focusing on a multifaceted business portfolio including ERP, business logistics, design and implementation management and international applications development.