• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
  • TPRM by ThirdPartyTrust
  • Beacon by ThirdPartyTrust
  • Solutions
  • Risk Assessment Automation
  • Security Questionnaire Automation
  • Shadow IT Management
  • Zero Day Remediation
  • Integrations
  • Industries
    • Financial
    • Energy
    • Healthcare and Hospitals
    • Legal
    • Life Sciences
    • Manufacturing Industry
    • Retail
    • Technology
    • Other Industries
  • Pricing
  • Resources
  • Blog
  • Strategy Guides
  • Case Studies
  • Data Sheets
  • Webinars
  • Dictionary
  • API
  • Company
  • About us
  • Careers
  • Partners
  • Partners Login
  • Product Security
  • Privacy Policy

7 Questions for a Vendor Risk Assessment

Published by Sabrina Pagnotta on January 16, 2020
Categories
  • Blog
Tags
  • TPRM Best Practices
assessing-a-third-party

Third party risks continue to be a serious cybersecurity threat, so properly assessing a vendor is paramount to any risk management strategy. According to Gartner, 71% of organizations reported their network contains more vendors than it did three years before. This number is expected to grow even larger in the next few years.

With cloud-based services and the Internet of Things increasing cybersecurity risks nearly as much as they open new doors for business operation, it has become imperative to create and maintain formal programs for third party risk management (TPRM) in order to avoid being compromised. In this blog, we offer a practical approach to start the due diligence process.

Understanding the risk

Implementing new technologies and relying on more third party solutions and services is a must for any company that aims to keep up with the ever-evolving world. Partnerships offer the opportunity for greater agility, exceptional customer experiences and profitable growth.

According to Gartner, 60% of organizations are now working with more than 1,000 vendors.

That said, these technologies need to be secured and properly evaluated before fully entering the process and data ecosystem of an organization. They will likely have access to sensitive data about technology, finances, inventory, shipping, licensing, media & advertising, recruiting, payroll, sales partners & distributors, among many other things.

What’s more, in an ideal scenario, there should be a third-party risk assessment both before and after the adoption of new technologies. It’s only natural that business relationships evolve as time goes by. There can be changes in scope, goals, strategy, and staff over the course of a relationship with a vendor.

This means the assessment is not over after the initial due diligence process; in fact, organizations need to implement continuous monitoring strategies. 

Let’s take a look at 7 useful questions to ask during the third party risk assessment.


A Practical Approach to VRM: 7 Questions to ask when Assessing a Vendor

assessing-a-third-party
  1. Does the vendor regularly check user privileges, and are these based on the principle of least privilege?
  2. Does the vendor have an updated information security program in place, with documented policies and procedures?
  3. Are their employees trained on basic security best practices to deflect social engineering attacks, avoid phishing and scams?
  4. What is their notification process when your data is shared with other parties?
  5. Do they employ mechanisms to control access to areas containing sensitive information assets?
  6. Do they have an incident response plan?
  7. Are they willing to enact cybersecurity requirements through a formal agreement?

Now, these won’t cover the entire spectrum of third party risk management, but this is a great starting point that will allow a company to make an informed decision when assessing a vendor.

Read More: Guide to Making TPRM Easier

Performing a deeper third party risk assessment is not as hard as it sounds, as there are tools and new approaches to simplify the process. For example, our ThirdPartyTrust platform leverages the work of industry peers who have already reviewed common vendors, automating data gathering and, as stated above, implementing ongoing monitoring strategies for periodic reassessment.

Another thing to consider is accountability, as it can be hard to determine when there’s no people or department in charge of managing third-party risk. Sometimes it’s not even a matter of not having a designated resource, but a matter of compliance officers having too much on their plates – with responsibilities extending beyond their own companies and into the increasing map of service providers and supply chain partners.


Putting cybersecurity first

Companies are realizing cybersecurity is a top-tier issue. Gartner research revealed that compliance programs are focused on third party risk more than ever before: more than twice the number of compliance leaders considered it a top risk in 2019 than three years before.

Nevertheless, there is still a gap in how and to what extent it is approached in practice. One thing is to understand the implications of a data breach or cyberattack, and another is to be aware of the actual vulnerabilities that need to be addressed.

No industry is exempt from the attention of cyber security risks. As the threat landscape constantly evolves, so does third party risk, with networks becoming larger and more complex. The time to check defenses is now, not later!

If you are interested in learning more about our third-party risk platform please click here.

Request Demo
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
    • Phone
      |+1-617-245-0469
    • Address
      |
      111 Huntington Ave, Suite 2010, Boston, MA 02199
    • Sales
      |sales@bitsighttech.com
    • Contact Us
    Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

    ©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
    • BLOG
    • PARTNERS LOGIN
    • CONTACT US
    • PRIVACY POLICY
    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
    Do not sell my personal information.
    Reject AllAccept
    Cookie Settings
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT