Your company is probably working with dozens or hundreds of third parties to outsource business functions, reason why vendor risk management sits among the priorities of any security leader nowadays. How to set up a vendor risk management program (VRM) to reduce risk across your supply chain?
Let’s start with a definition:
Vendor risk management is the process of performing risk assessments of potential new vendors and evaluating the performance of existing vendors continuously, in order to take corrective actions to reduce risk based on the results of the assessments.
Gartner adds that the ultimate goal of VRM is to ensure that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.
VRM gives companies visibility into the vendors they work with, how they work with them, and which vendors have implemented sufficient security controls. This is accomplished with dedicated tools that assist in assessing, monitoring, and managing risk exposure from third party vendors that have access to enterprise information.
At a fundamental level for your business, you should always take inventory of third party your vendors and the risks they could present to your organization. The goal of a VRM program is to make sure your business partners are keeping their (and your) data secure and are following best practices in line with your security standards.
There are two main parts of a vendor risk management program:
Dividing your third party vendors into “new” and “existing” can be your starting point when building a scalable vendor management program. You can put in place a due diligence and third party risk assessment workflow for new vendors, and then go on to address existing third parties through your new process.
Read More: 5 Tips to Building a Scalable VRM Program
When a contract comes up for renewal, you can address some of the contractual aspects that may not have initially been addressed prior to having a data security appendix for the contract in place.
VRM is a continuous process, but you have to start somewhere. Follow the steps below.
Even if you’re a small start-up, you probably rely on vendors to conduct several business functions, e.g., an email provider, a payroll platform, or cloud hosting.
Start with the most important vendors from a risk perspective and begin building your inventory. Think of the companies that you exchange confidential and restricted information with, and the ones you grant access to your information and to your various platforms and infrastructure.
Ask yourself these questions:
Once you’ve identified them, ask them who their third parties are as well, so you can tackle fourth party risk later on.
Security leaders use different terminology. In most cases, “vendor” is used interchangeably with third party, supplier, or service provider. However, the term “supplier” often relates to physical goods, while vendors and service providers relate to information technology (IT).
“Third party” is the broadest term: All vendors, suppliers and providers are third parties, but not vice versa. That is why for many security professionals, third party risk management and vendor risk management are synonymous.
Once your vendor inventory is built, prioritize your vendors according to their level of criticality and impact to your business. For example, the accounting firm you’ve hired to help manage your financials could be compromised via a phishing email, potentially granting attackers access to your network or data.
These are called supply chain attacks, where instead of compromising the desired target directly, attackers compromise a supplier of the target. SolarWinds, Kaseya, Colonial Pipeline, and Log4j are some recent examples of the extent these attacks can reach, providing a gateway for cybercriminals though weak security controls.
Not all vendors are equally critical, nor do they need to be subject to the same questions. In order to identify your most critical vendors, the ones that will need heavier risk assessment requirements, use these questions:
With dozens or hundreds vendors, it’s difficult to focus on the most critical ones if you don’t classify them. Most risk management teams use the following tiers:
There are many risk assessment standards and frameworks to base your vendor evaluations on, which we explore in more detail here. The most commonly used include:
Some organizations also use industry-specific standards, including:
Whether you use these industry standards or build your own custom assessment, consider the following risk categories:
Information Security – Controls related to security, confidentiality, and availability of data shared with third party vendors.
Business Continuity – As third party services become more critical to your operations, consider availability requirements.
Regulatory Requirements – Industry-specific regulations mandate security, privacy, and data protection standards.
As you build your assessment framework, it may be useful to ask yourself questions like:
Once your process is defined, you can start conducting vendor risk assessments using a tool like the ThirdPartyTrust VRM automation platform, which allows you to easily onboard your vendors involving as many stakeholders as needed, customize your assessment process, report on third party risk, and continuously monitor vendor security performance based on your risk standards.
Watch how easy it is to automate your end-to-end vendor risk management program:
Once your VRM program is up and running, build your reports and dashboards so you can show the value of your efforts. Commonly tracked KPIs and KRIs include: total number of vendors, vendors by security score, assessment status, and risk historical analysis.
New threats and challenges are constantly emerging, which makes it critical to check your program from time to time to make sure it’s still hitting the mark.
Remember: Your critical insights may initially come from the first ‘point in time’ risk assessment and due diligence. After that, you need to perform continuous monitoring of the controls in place and the changes in the relationship with the third party vendor, including periodic reassessments, ongoing monitoring for security vectors, incident notification, and on/offboarding.
This approach is much more effective than doing annual assessments, which over time yields less insight and are static in nature, while expensive to perform. Automation presents as the solution to an otherwise manual, painful, and repetitive process to assess and remediate vendor risk.
Are you ready to get started with vendor risk management? Let us show you how ThirdPartyTrust can help. Talk to an expert today.
Unpredictable vulnerabilities will be an ongoing concern for security teams inthe foreseeable future.
In this guide you will learn the fundamentals of zero days, patterns from our statistical analysis, and tips to reduce risk and remediate zero days if/when they happen.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|