The answer to these questions is not based on technical safeguards that can be implemented by IT. The answer is for IT security to take on a greater responsibility and align itself with the company to better understand business processes that traditionally have not been in their domain.
To address security concerns that crop up when working with vendors, IT security should consider reaching out to the business sourcing teams to ensure that security controls and checkpoints are built into the sourcing process before vendors are approved. This will not guarantee compliance, but will provide a baseline understanding of the information security capabilities of each vendor that houses, processes or has access to your data.
We've heard the talk about shifting the paradigm of how information security is viewed. As auditors and regulators have become more adept in their assessment approaches, coupled with traditional IT infrastructures morphing into semi-open networks, it is only logical that vendors will eventually be scrutinized as much as internal IT. Therefore, information security has to be engaged with the business now more than ever to ensure that information security evangelists are involved in each phase of sourcing. Without this, information security professionals will never be able to minimize the risks created by vendor organizations.
Compliance is certainly a motivator and can be used as a tool to allow you to build alliances to reach your security goals. However, even if vendor security is not on the radar of your regulators or auditors, you may still want to consider how a vendor information security program could help you reach your greater aim of ensuring the confidentiality, integrity and availability of your organization's information assets. Any amount of business unit interaction will start to change the corporate view of information security and ultimately reaffirm your value to the organization.