But with so many moving parts, creating a supplier risk management plan – and executing on it – can be a challenging and arduous task. According to Gartner, 60% of organizations work with more than 1,000 third-party vendors. That’s a huge pool of companies that require assessments, including both onboarding and throughout the relationship lifecycle.
While there are many cyber risk management frameworks and cybersecurity maturity models that you can reference, it’s hard to know where to start. To help, we’ve outlined a template of the key things you should include in your supplier risk management plan so that you can kickstart your vendor assessments with three easy steps.
When crafting your plan, there are three key areas to consider:
Let’s look at each:
Cybersecurity frameworks provide a common language and set of standards for assessing your vendors’ security postures and are helpful starting points for informing your plan.There are several frameworks that you can consider but we suggest you start with three:
While these cybersecurity frameworks are valuable, there are literally thousands of questions you could mine from them. Knowing which are the most important to your organization isn’t easy. To help jumpstart the process of building your template, we’ve compiled a list of the 40 Questions You Should Have in Your Vendor Security Assessment.
This guide blends both NIST and CIS Controls frameworks and provides a baseline of the most critical questions you should ask your vendors. For instance:
Your plan should also include a process for validating responses. But you don’t need to conduct lengthy and costly on-site assessments of each vendor.
Instead, use a tool like BitSight Security Ratings to verify your suppliers’ security performance. Security ratings provide an objective, data-driven representation of your vendors’ security postures. For example, the BitSight platform can identify if a vendor’s IT infrastructure has known security vulnerabilities, compromised systems, or fails to adhere to industry best practices. The higher the rating, the better the security posture.
While cyber security risk assessments and questionnaires are among the most powerful tools for assessing your vendors’ security postures, traditionally, they have only captured a snapshot of risk. In between assessments, vulnerabilities can emerge without your knowledge and put your organization at risk.
That’s why your plan should include a strategy for continuously monitoring your third parties in near real-time – over the lifecycle of the relationship.
Again, this doesn’t have to be a complex or unwieldy exercise. Using security ratings, you can automatically and continuously evaluate your vendors for cyber risk.
Start by setting acceptable vendor risk thresholds based on your industry and the criticality of the supplier. Then, bake those into your plan. Once onboarded, monitor your vendors for movement against these thresholds. If a vendor’s rating falls below a certain score the BitSight platform will alert you. With this insight, you can work with the vendor to remediate the issue or determine if a deeper security assessment is required.
It’s a great way of staying on top of emerging risk without waiting for the next periodic assessment and all the work it entails.
Assessing supply chain risk can seem overwhelming. Before you dive in, develop a plan that takes into consideration frameworks grounded in best practices. Then automate wherever possible. It will save you time, reduce costs, and allow you to scale your supply chain risk management practice with ease.
To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors.
But digital ties with these providers...
Facebook and the apps under its umbrella, including Instagram and WhatsApp, were inaccessible for hours on Monday. The outage hamstrung the communications of billions of people, businesses, and other organizations.
Though Facebook is...