Your company is probably working with dozens or hundreds of third parties to outsource business functions, reason why vendor risk management sits among the priorities of any security leader nowadays. How to set up a vendor risk management program (VRM) to reduce risk across your supply chain?
Let’s start with a definition:
Vendor risk management is the process of performing risk assessments of potential new vendors and evaluating the performance of existing vendors continuously, in order to take corrective actions to reduce risk based on the results of the assessments.
Gartner adds that the ultimate goal of VRM is to ensure that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.
VRM gives companies visibility into the vendors they work with, how they work with them, and which vendors have implemented sufficient security controls. This is accomplished with dedicated tools that assist in assessing, monitoring, and managing risk exposure from third party vendors that have access to enterprise information.
How to Get Started with Vendor Risk Management
At a fundamental level for your business, you should always take inventory of third party your vendors and the risks they could present to your organization. The goal of a VRM program is to make sure your business partners are keeping their (and your) data secure and are following best practices in line with your security standards.
There are two main parts of a vendor risk management program:
- Assessing your vendors before engaging with them to make sure they comply with your expected security, confidentiality, and privacy requirements.
- Conducting continuous reassessments of your vendors to make sure they are keeping their promises regarding security compliance.
Dividing your third party vendors into “new” and “existing” can be your starting point when building a scalable vendor management program. You can put in place a due diligence and third party risk assessment workflow for new vendors, and then go on to address existing third parties through your new process.
Read More: 5 Tips to Building a Scalable VRM Program
When a contract comes up for renewal, you can address some of the contractual aspects that may not have initially been addressed prior to having a data security appendix for the contract in place.
VRM is a continuous process, but you have to start somewhere. Follow the steps below.
1. Build your third party vendor inventory
Even if you’re a small start-up, you probably rely on vendors to conduct several business functions, e.g., an email provider, a payroll platform, or cloud hosting.
Start with the most important vendors from a risk perspective and begin building your inventory. Think of the companies that you exchange confidential and restricted information with, and the ones you grant access to your information and to your various platforms and infrastructure.
Ask yourself these questions:
- Who do you share non-public data with?
- Who do you grant access to data and company infrastructure?
- Who develops software for your critical business applications?
- What data are you sharing with them?
Once you’ve identified them, ask them who their third parties are as well, so you can tackle fourth party risk later on.
What is a vendor exactly? The difference between vendor, third party, supplier, and service provider
Security leaders use different terminology. In most cases, “vendor” is used interchangeably with third party, supplier, or service provider. However, the term “supplier” often relates to physical goods, while vendors and service providers relate to information technology (IT).
“Third party” is the broadest term: All vendors, suppliers and providers are third parties, but not vice versa. That is why for many security professionals, third party risk management and vendor risk management are synonymous.
Read More: Vendor or Third Party? What is a Third Party Vendor?
2. Prioritize your inventory and build your third party risk assessment process
Once your vendor inventory is built, prioritize your vendors according to their level of criticality and impact to your business. For example, the accounting firm you’ve hired to help manage your financials could be compromised via a phishing email, potentially granting attackers access to your network or data.
These are called supply chain attacks, where instead of compromising the desired target directly, attackers compromise a supplier of the target. SolarWinds, Kaseya, Colonial Pipeline, and Log4j are some recent examples of the extent these attacks can reach, providing a gateway for cybercriminals though weak security controls.
Not all vendors are equally critical, nor do they need to be subject to the same questions. In order to identify your most critical vendors, the ones that will need heavier risk assessment requirements, use these questions:
- What are you using them for?
- How critical is the process you are outsourcing through them?
- What is their security posture?
- Do they have SLAs?
- Are their contractual terms aligned to what you expect for this type of service?
With dozens or hundreds vendors, it’s difficult to focus on the most critical ones if you don’t classify them. Most risk management teams use the following tiers:
- Tier 1 vendors: High risk, high criticality
- Tier 2 vendors: Medium risk, medium criticality
- Tier 3 vendors: Low risk, low criticality
Read More: Building Requirements for a Customized Security Risk Assessment
3. Assess and Monitor Your Vendors on an Ongoing Basis
There are many risk assessment standards and frameworks to base your vendor evaluations on, which we explore in more detail here. The most commonly used include:
- ISO 27001
- ISO 27701
- SIG Lite and SIG Core
- CSA CAIQ
- NIST SP 800-53
Some organizations also use industry-specific standards, including:
- HITRUST (healthcare)
- HECVAT (higher education)
Whether you use these industry standards or build your own custom assessment, consider the following risk categories:
Information Security – Controls related to security, confidentiality, and availability of data shared with third party vendors.
Business Continuity – As third party services become more critical to your operations, consider availability requirements.
Regulatory Requirements – Industry-specific regulations mandate security, privacy, and data protection standards.
As you build your assessment framework, it may be useful to ask yourself questions like:
- What security certifications does the vendor have? (SOC 2, ISO 27001, etc.)
- Do they conduct periodic assessments and ongoing monitoring?
- What are their on/offboarding processes?
- Can you involve legal, procurement, and other internal parties and stakeholders?
- How do they communicate and report to you on the compliance of the SLAs?
- What are their breach notification, response, and disclosure policies?
- What does their business continuity plan entail?
- How robust is the organization in terms of financial viability and overall reputation?
How to implement vendor risk management practices?
Once your process is defined, you can start conducting vendor risk assessments using a tool like the ThirdPartyTrust VRM automation platform, which allows you to easily onboard your vendors involving as many stakeholders as needed, customize your assessment process, report on third party risk, and continuously monitor vendor security performance based on your risk standards.
Watch how easy it is to automate your end-to-end vendor risk management program:
Once your VRM program is up and running, build your reports and dashboards so you can show the value of your efforts. Commonly tracked KPIs and KRIs include: total number of vendors, vendors by security score, assessment status, and risk historical analysis.
Read More: Top 5 Indicators of a Third Party Risk Management Dashboard
New threats and challenges are constantly emerging, which makes it critical to check your program from time to time to make sure it’s still hitting the mark.
Remember: Your critical insights may initially come from the first ‘point in time’ risk assessment and due diligence. After that, you need to perform continuous monitoring of the controls in place and the changes in the relationship with the third party vendor, including periodic reassessments, ongoing monitoring for security vectors, incident notification, and on/offboarding.
This approach is much more effective than doing annual assessments, which over time yields less insight and are static in nature, while expensive to perform. Automation presents as the solution to an otherwise manual, painful, and repetitive process to assess and remediate vendor risk.
Are you ready to get started with vendor risk management? Let us show you how ThirdPartyTrust can help. Talk to an expert today.
Don’t let zero days be “wake up calls.”
Unpredictable vulnerabilities will be an ongoing concern for security teams inthe foreseeable future.
In this guide you will learn the fundamentals of zero days, patterns from our statistical analysis, and tips to reduce risk and remediate zero days if/when they happen.
