Vendor Risk Assessments: 6 Best Practices to Follow

If you’re just starting out with vendor risk management, you probably have a lot of questions about security. You might be wondering, “Which companies should be on my radar? Am I supposed to monitor all of my vendors, or just a few of them?” These are valid questions—ones you should definitely ask.

Another question that may be lingering is, “Do I need to come up with a vendor risk assessment methodology all on my own?” The answer is a resounding no!

Luckily, there are several organizations out there that have spent many years developing materials that companies can pick up off the shelf and use immediately. Of course, you’ll add your own personal touches along the way, but you do not need to start from square one. Phew!

Now that you’ve breathed a sigh of relief, you’re probably wondering where and how you should get started, and which companies to look at. And that’s what we’ve compiled here.

If you’re going to build a third-party vendor risk management program, you’re going to be looking at six of these “best practices.” Each of them allows you to assess a part of the cybersecurity posture of your vendors in a different way, so you can look at it from every angle.

#1: Risk Assessment

Not every vendor presents the same risk to your organization; some have greater access to your sensitive data or assets. Tiering your vendors based on their importance to your organization is a critical step to creating a good vendor risk management program. The National Institute of Standards and Technology (NIST) has put out some excellent documents to help you think about third party risk to your organization, including Special Publication 171.

#2: Questionnaire

While there are many options to choose from, one industry-accepted standard for vendor questionnaires is Shared Assessments. In addition to using the standardized questions laid out by Shared Assessments, most organizations will tack on additional questions that are specific to their organization to ensure that they’re getting all pertinent questions answered. This is a great way to be thorough without wasting time creating your own vendor risk questionnaire.

#3: On-Site Interview

The next step in most vendor risk management programs is to perform an on-site interview. Most companies build out a list of questions to ask during this interview process based on standards like ISO 27001 or NIST Special Publication 800-53. These guidelines will help you ensure that every question you ask will have a purpose in better understanding how secure your vendor is.

confident approach to third party risk whitepaper

Building new digital relationships with third parties increases risk exposure. But IT teams can reduce that risk through all stages of the vendor onboarding, monitoring, and reassessment lifecycle.

Read Whitepaper
Button Arrow

#4: Technical Scans

Performing a technical analysis of your vendors’ network security can be daunting, particularly if you haven’t done it before. Penetration tests and vulnerability scans are widely accepted practices, but make sure you have communicated with the vendor about performing these practices ahead of time; there is often a lot of back-and-forth from the primary organization and the third party before the scope and breadth of the test are agreed upon.

There are companies that sell the technology needed to perform these assessments and there are consultants that do the test for you. Rapid7 and Core Security are highly regarded technology vendors, and many experienced consultants are available to conduct assessments on your behalf. Make sure you do your due diligence before deciding if any of these options work for your organization.

#5: Review Of Security Documentation

You’ve performed an on-site review and received the results of your questionnaire and technical assessment. You have a lot of helpful information, but you’re probably going to want to ask for more documentation from the vendor—let’s say, for example, former audit results.

Now, imagine yourself in the vendor's shoes for a moment. They are not just your vendor—they act as a vendor for many other organizations as well. That means they’re probably hounded with information requests regularly and want to minimize the amount of time spent answering security questions. So, they probably have a standard approach to how they handle these requests. Perhaps they’ve already hired a firm to come through and run tests and audits so they can hand that information out when they begin vending to another company.

This is where the common security phrase “trust, but verify” comes into play. If a vendor sends more documentation for your review, that’s great. But it’s up to you to substantiate their claims.

#6: Continuous Monitoring

Every step you’ve taken to this point is incredibly important. In fact, many vendor risk management programs stop after step four. However, every step you’ve taken up to this point is only giving you a simple snapshot of vendor health. This snapshot is undoubtedly important, but it simply does not allow you to see what is happening in the vendor’s network environment in real time. Remember—there are organizations suffering from security incidents at this very moment. If an organization has a continuous monitoring solution like BitSight Security Ratings, they’ll be able to take action against a threat right away.

In summary, paying attention to the cybersecurity posture of your vendors is one of the most important things you can do when you’re getting started with third-party business relationships. From time to time, there will be circumstances that warrant unique questions or a different approach. But, when it comes to most vendor risk assessment methods, it’s better to rely on the expertise and experience of others than reinvent the wheel and do it all yourself.