Time to update your vendor risk management program? In this article, Graeme Payne, Kudelski Security’s practice leader for strategy, risk, and compliance, covers the four essential areas for consideration in building a strong VRM.
You have limited control over the safety measures taken by external service providers, IT vendors, and related third parties. Their vulnerabilities become your vulnerabilities. Any breach they experience becomes a possible breach of your environment, too.
You may be ready to surface, assess, and mitigate their risks if it’s just an issue of a couple of vendors. Most businesses have a vendor list that will reach thousands — from parts suppliers, cloud solutions providers, law firms, to call centers, consultants, and human resource benefit providers. All this is often in danger if your vendors don’t have adequate security and privacy protections in situ.
Identifying risks within your supply chain and business vendor landscape starts with building an inventory of vendors and placing them into risk tiers. A good place to start is your vendor master within the organization’s accounts payable system. This will identify all the vendors that you simply are paying for goods and services. Your risk modeling approach should consider the sort of knowledge accessed by the seller, the criticality of the seller to your business process, the connectivity of the seller to your data, systems, and networks, and any recently observed experiences with the seller. Creating risk tiers will allow you to create a program that’s aware of the danger in each tier and to focus your limited resources on the areas of greatest risk.
Read more: 10 Things You Need to Know About GDPR Compliance Requirements
Vendor Risk Management Program
As you build your vendor risk program, you ought to work closely with procurement, legal, and other functions. Security requirements should be defined and utilized in new vendor identification. Selection, negotiation, and contracting should include security and privacy protections in contracts- Onboarding and implementation should include appropriate censoring, and termination processes should ensure destruction or removal of sensitive data. With strong collaboration across functions, a more unified vendor risk program is often implemented that addresses all key risk areas including financial viability, safety, and legal compliance.
There are many approaches to evaluating and monitoring vendors. Popular techniques to gauge how vendors are addressing their cybersecurity risk include surveys and questionnaires; review of third-party audits and certifications; onsite visits; technical testing; and continuous monitoring. As you design your program include flexibility in your approach to evaluating and monitoring vendors. A risk-based approach should be wont to determine the extent and frequency of evaluation. Higher-risk vendors will need higher levels of assurance like completion of security questionnaires, onsite visits or audits, security certification, or ongoing intelligence monitoring. Lower risk vendors might get to complete a simplified questionnaire or be subject to less frequent review. Be reasonable in what you expect from vendors; don’t invite information that you simply aren’t using to gauge risk. Far too many vendor questionnaires request data that are never utilized in the danger management process.
Much plays into a successful vendor risk management program. The time devoted, the topic matter experts involved and a radical understanding of the evolving regulations are all considerations to require under consideration.
How to Establish a Vendor Risk Management Program
1. Develop a policy, program, and procedures.
This is first and foremost. A well-documented policy, program, and desktop procedures are fundamental to the success of a vendor risk management program. As a general guideline, the approach will be an undeniable level aide itemizing how merchant hazard the board will be taken care of, the program will be thorough and started the means for senior administration and thusly the lines of business and the strategies will layout the everyday seller hazard the executive’s duties in broad detail.
2. Have a well-defined vendor selection process.
Forming a defined vendor vetting process is critical to the success of the organization’s vendor relationships. The process should be executed by your organization as a start line for choosing any vendor who may provide a product/service. You may consider things like:
- Issuing a Request for Proposal (RFP)
- Comparing the vendor to competitors
- Completing a risk assessment and other due diligence requirements (these should be defined in your policy!)
3. Establish contractual standards.
Within your organization’s contractual standards, make certain to include a negotiation process. Complete contracts are very important in vendor risk management.
4. Keep up with periodic due diligence and ongoing monitoring.
Continue to perform vendor due diligence on a periodic, oftentimes annual, basis. It’s vital that you simply understand any vendor changes which will impact the danger posed to your organization. Remember, due diligence isn’t just an invitation and receive process. You must analyze as a neighborhood of your vendor risk management process. Here may be a snippet of what periodic due diligence would appear as if done correctly:
- Continuing to request and evaluate the vendor’s SOC reports, business continuity and disaster recovery plans, and knowledge security procedures.
- Completing annual assessments – risk assessments, performance assessments, information security assessments, and more.
5. Define an internal vendor risk management audit process.
Work into your vendor risk management program an indoor audit process. An internal audit will assist you to verify your organization has acceptable controls in situ to mitigate risks present.
6. Robust and comprehensive.
In an established vendor risk management program, you’ll have a process to access customizable reports that are easy to obtain and ready to be presented to your executive management teams and the board.
Many components and processes make up a third-party management program. Download the checklist.
The risk is yours.
Maximum agencies have a seller listing in an effort to attain thousands — from components suppliers, cloud answers providers, regulation firms, to name centers, consultants, and human aid advantage providers.
As a security leader, you need to develop and continuously evolve your vendor risk management program. Just like most things on cybersecurity this is often not a “one and done effort”. Continue to find ways to create additional continuous monitoring and alerting to reinforce your periodic reviews. Ask yourself: “Do I know who my high-risk vendors are and are I comfortable about the cyber risk we are accepting”? If the solution is “no”, it’s time to update your vendor risk program.
VRM-as-a-service offerings are emerging to help offload some of the “heavy lifting” in managing a vendor risk program. Several exchanges and shared assessment programs are now in situ to scale back the burden on vendors completing literally many questionnaires. Security certification programs are gaining more prominence as vendors seek to provide assurance that their security programs meet acceptable industry standards.
Your program design should integrate vendor risk management into your incident response process. Studies indicate that 60% of data breaches involve a third party.
