Vendor Risk Management

A Vendor Risk Assessment Questionnaire: 10 Frequently Asked Questions

Melissa Stevens | June 18, 2015

Are you and your company at the beginning stages of implementing a vendor risk management (VRM) program — or are you just beginning to explore the idea? Either way, there’s a lot to learn, and it can be a bit daunting. Perhaps you’re a bit afraid to ask some of the more basic questions that have you stumped.

To help your introduction to vendor risk management (VRM) go a little more smoothly, we've compiled a list of 10 questions about vendor risk management that may help you gain more insight into the process.

10 Vendor Risk Management Frequently Asked Questions

1. How long does it take to implement a VRM program?

This, of course, is variable. The first thing you’ll do when developing your vendor risk management program is create a strategy. Once you have that in place, you can determine which method(s) you’ll use to monitor your vendors’ security positions. You have to determine which of your vendors present the most risk — in other words, which vendors have access to the most sensitive data — so that you can prioritize which vendors need monitoring based on level of risk. If you have a thousand vendors, but only 10 have access to your network or other sensitive information, you’re going to want to know that.

This process, albeit critical, isn’t easy or fast. If you’re the person tasked with creating a list of these vendors, you’ll have to first find the lists (keeping in mind that there are probably many lists throughout the organization), and then figure out how important each one is. You typically base this on conversations with different departments, or by researching what the vendor is actually doing for you. This process could take weeks or months.

After you’ve created your strategy, you’ll need to review your existing contracts. This is a very lengthy process — it can take weeks or months. Questionnaires can take a large chunk of time as well — you have to develop one (which can be done in-house, through a consultant, or via an option like Shared Assessments), send it to your vendor, give them time to fill it out, and then review it. Once you’ve sent it to your vendor, you can give them a time frame for completion, like two weeks or two months.

Better understand what critical questions you should be asking (and why they’re so vital to your cybersecurity) in this free ebook.

2. Should I do questionnaires? If so, when should I send them out, and how often?

A questionnaire is a great way to get a sense of the security measures and protocols that your vendor has in place. These surveys can vary in length dramatically — some could be 10 questions, others a hundred questions, and others several hundred! The length of the questionnaire and depth of the questions will have a lot to do with the risk that the vendor poses. Pretend for a moment that you are Coca-Cola, and one of your vendors has the secret formula for Diet Coke. You’re probably going to want to ask that vendor a ton of questions to ensure that the formula is secure.

The optimal time to send out a questionnaire is when you’re onboarding a vendor. Frequency after that is variable. Some companies opt to send shorter questionnaires annually (in an attempt to follow up), while others simply ask that vendors send any important changes to their IT department. Either way, you’ll want to be updated if your vendor makes a large change (like, for example, if they stopped doing an important function in-house and decided to outsource to a third party).

3. Do I have to implement a VRM program for all of my vendors or just the most critical? 

If you have unlimited resources to spend on a VRM program, you can go ahead and monitor every single one of your vendors. But I’m guessing that’s not your scenario. So, most organizations should start by monitoring the most critical vendors. In order to do that (and as I mentioned earlier), you’ll need to prioritize which vendors pose the greatest security risk. This is where most companies get into trouble, so don’t underestimate the importance of this step.

Take Target for example. They probably had a VRM program before their infamous 2013 breach, but it seemingly didn’t include the HVAC vendors. What they didn’t take into account was how much access they had actually given this particular vendor. Because they had a great deal of access, that made the vendor critical. Let that be a lesson—it’s not just the sensitivity of the data that a vendor has access to, but it’s the amount of access they have in your network as well.

4. How much will I need to work with our legal counsel to develop a program? Aren’t my vendors legally obligated to share security information will me?

One of your legal team’s main priorities will be to establish a disclosure obligation with your vendors. Pretend once more that you are Coca-Cola. If your vendor is breached and they lose customer data or other sensitive information, there are laws in place to protect the customer — in other words, you are legally required to tell a customer if their information, like their credit card number, has been compromised. But what happens if one of your vendors is breached and Diet Coke’s secret formula has been compromised? Are they legally bound to tell you, Coca-Cola? No; unless they have a legal obligation to do so, that is.

So, you can see how important it is to have your legal team intimately involved in the VRM process. You need to be sure that your vendors are legally bound to inform you if an incident that affects your security position takes place. You are also able to tell your vendors how secure you want your data through your contracts. And, if they don’t comply, you’ll be able to take legal action against them.

5. What standards should I have my vendors meet? How do I know they’re meeting them? 

This is almost entirely dependent on the industry that you work in. If you’re in the medical field, you’ll want to ensure that your team is HIPAA compliant; if you’re in the financial industry, you’ll need to ensure that you’re meeting OCC guidance, PCI compliance, etc.

To ensure that your vendors are meeting standards, your lawyers and IT department will work together to determine:

  • How sensitive the data is.
  • What standards your industry dictates your vendors must meet, and what company standards you’d like them to meet.
  • How to determine if they’ve met those standards.

All of this comes down to the issue of continuous monitoring. Until recently, it was nearly impossible to monitor vendors in real time from outside of their network. Unless a vendor actually let you come on-site and watch their network directly (unlikely), you’d never be able to know what was going on. Learn how continuous monitoring technologies are transforming risk management processes.

6. What’s the average size of a VRM program? How many people do I need internally? 

Regardless of the size of your organization, you’ll need someone (or several people) to monitor your VRM program. Your company's third-party risk exposure will determine whether this is one person’s part-time job, one person’s full-time job, 10 people’s jobs or dozens of people’s jobs.

7. Who should my main contact be with my vendor?

You should expect to have one individual at your vendor’s company who is in charge of managing the risk to your organization’s data. This person should be your point of contact if there is ever a problem and should be able to easily obtain relevant and important information at any point. He or she could be a lawyer, an IT security person, the chief information officer, or any number of people depending on how the company has decided to organize itself. You should be able to rely on this person to get all of the appropriate people together should a problem ever occur. This person should have specific insights into IT operations, security components, and elements of your contract.

8. When should I go on-site to meet with my vendor?

For some vendors, you can do business all in writing, though many require phone conversations (desk assessments). Depending on the strategic nature of the relationship and the goods or services delivered, on-site visits may be warranted, both during vendor selection and for ongoing relationship management. According to the OCC: “On-site visits may be useful to understand fully the third party’s operations and capacity.”

The important thing here is to make sure you are focusing your scarce resources and travel budget on visiting those vendors that are most strategic to your business and/or have the highest levels of network access.

9. Why aren’t penetration tests or questionnaires adequate?

Penetration tests and questionnaires, while helpful, do not provide real-time insight into the actual network security posture of your vendor. With continuous security monitoring tools, that problem is solved.

10. Is VRM actually important? Is anyone else actually doing this?

Not everyone is doing it yet, but many are. Some organizations, like the financial sector, have been monitoring vendor risk for a very long time. There are two factors to keep in mind here:

  1. The regulatory environment is changing, and more and more, regulators are recommending – and in many cases requiring – VRM programs.
  2. As more companies identify third-party risk, in part due to recent highly-publicized breaches, they’re placing more focus and resources in developing VRM programs. In a way, everyone is a third party to somebody else. Even if you’re not monitoring your vendors, you can be sure someone is monitoring you. With the risks that are present today, everyone is asking their vendors about security posture.

The bottom line is that vendor risk management is both important and necessary.  Third Party Risk Management

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.