With this ebook, we'll help you prioritize which vendors need the most attention with an in-depth security assessment – such as those with low security ratings, or critical vendors that maintain constant contact with your company’s systems.
This post was originally published January 21, 2016 and has been updated for accuracy and comprehensiveness
If you’re in the beginning stages of building your comprehensive vendor risk management plan, you’re likely looking for something that will help you get started with your vendor risk assessments. That’s a big task—but it doesn’t need to be daunting.
In this blog we’ve included templates that can help you create a personalized vendor cybersecurity IT risk assessment questionnaire. Each of these resources provide examples of vendor risk assessments and include a series of questions that can help probe an organization’s governance and approach to cybersecurity.
Developed by experts with backgrounds in cybersecurity IT vendor risk management assessment, each template is easy to understand. There are, however, no quick fixes. Personalizing your cybersecurity IT risk assessment template requires careful thought and planning by your organization’s security, risk management, and executive leaders.
What is a Cybersecurity IT Risk Assessment?
When it comes to improving cybersecurity at your organization, there are some fixes that you can undertake with very little preparation. More robust remediation efforts, however, usually start with a cybersecurity IT risk assessment.
Risk assessment involves taking steps to understand any flaws or vulnerabilities in your network, and what steps you can take to remediate them. It’s important because it ensures you focus your energies on choosing the right controls that are appropriate to the risk faced by your organization or industry.
It’s possible to do your own assessment, your own cyber security audit, or you can outsource it to third-party consultants who perform assessments sometimes as a stand-alone service and sometimes as the first step in a larger end-to-end cybersecurity engagement.
Cybersecurity Risk Assessment Templates
Let’s take a look at the CIS Critical Security Controls, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and our very own “40 Questions You Should Have In Your Vendor Security Assessment” ebook.
1. CIS Critical Security Controls
The CIS Critical Security Controls (formerly known as the SANS Top 20) was created by public and private sector experts. This practical guide to getting started quickly and effectively with a security program is widely considered the “gold standard” of security practices today. It was designed as a list of technology best practices that organizations can implement to address their most critical cybersecurity vulnerabilities.
2. NIST Cybersecurity Framework
Another public and private sector collaboration, the NIST Cybersecurity Framework was developed with the goal of simplifying the security assessment and governance process. It is based on many international practices and standards, including NIST 800-53 and ISO 27001. The CIS Critical Security Controls are also reflected in this framework.
NIST is designed for owners and operators of critical infrastructure, but it can be used by anyone. The great thing about it is that it incorporates governance and technology issues, whereas the CIS Critical Security Controls is more focused on technology alone. NIST’s dual approach makes it a very popular framework.
3. eBook: 40 Questions You Should Have In Your Vendor Cybersecurity IT Risk Assessment
We promised that these cybersecurity IT risk assessment templates would help you get started quickly, and we’re sticking by that. So if you’re looking to jump-start this process, our eBook — 40 Questions You Should Have in Your Vendor Cybersecurity IT Risk Assessment — is a perfect place to begin. We blended together the NIST and SANS frameworks to come up with a specific list of 40 important questions that you may consider including in your vendor questionnaire.
Of course, this eBook isn’t nearly as comprehensive as the previous templates. There are thousands of possible questions represented in the NIST and SANS templates, but it isn’t always easy to identify which are the most important. And that’s where this simplified ebook can come in handy. Once you review it, you’ll likely have a better idea of which questions are critical and why they’re vital to good cybersecurity management and monitoring practices.
The bottom line is that if you’re tackling cybersecurity IT risk assessment, you may be overwhelmed by the mission ahead of you. But our best advice is to take a deep breath and simply get started., The templates above are written in terms that most people can understand—so all you need to do is make sure the right people are in the room and get started. Best of luck!