<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Vendor Risk Assessments: Why You Should Use An Industry-Standard Method

Melissa Stevens | August 13, 2015

If you’re just starting out with Vendor Risk Management, you probably have a lot of questions about security. You might be wondering, “Which companies should be on my radar? Am I supposed to monitor all of my vendors, or just a few of them?” These are valid questions—ones you should definitely ask.

Another question that may be lingering is, “Do I need to come up with a vendor risk assessment methodology all on my own?” The answer is a resounding no!

Vendor Security Assessment GuideLuckily, there are several organizations out there that have spent many years developing materials that companies can pick up off the shelf and use immediately. Of course, you’ll add your own personal touches along the way, but you do not need to start from square one. Phew!

Now that you’ve breathed a sigh of relief, you’re probably wondering where and how you should get started, and which companies to look at. And that’s what we’ve compiled here!

If you’re going to build a vendor risk program, you’re going to be looking at six of these “best practices.” Each of them allows you to assess a part of the cyber security posture of your vendors in a different way, so you can look at it from every angle.

#1: Risk Assessment

Not every vendor presents the same risk to your organization; some have greater access to your sensitive data or assets. Tiering your vendors based on their importance to your organization is a critical step to creating a good vendor risk management program. The National Institute of Standards and Technology (NIST) has put out some excellent documents to help you think about third party risk to your organization, including Special Publication 171.

#2: Questionnaire

While there are many options to choose from, one industry-accepted standard for vendor questionnaires is Shared Assessments. In addition to using the standardized questions laid out by Shared Assessments, most organizations will tack on additional questions that are specific to their organization to ensure that they’re getting all pertinent questions answered. This is a great way to be thorough without wasting time creating your own questionnaire.

#3: On-Site Interview

The next step in most vendor risk management programs is to perform an on-site interview. Most companies build out a list of questions to ask during this interview process based on standards like ISO 27001 or NIST Special Publication 800-53. These guidelines will help you ensure that every question you ask will have a purpose in better understanding how secure your vendor is.

#4: Technical Scans

Performing a technical analysis of your vendors’ network security can be daunting, particularly if you haven’t done it before. Penetration tests and vulnerability scans are widely accepted practices, but make sure you have communicated with the vendor about performing these practices ahead of time; there is often a lot of back-and-forth from the primary organization and the third party before the scope and breadth of the test are agreed upon.

There are companies that sell the technology needed to perform these assessments and there are consultants that do the test for you. Rapid7 and Core Security are highly regarded technology vendors, and many experienced consultants are available to conduct assessments on your behalf. Make sure you do your due diligence before deciding if any of these options work for your organization.

#5: Review Of Security Documentation

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

You’ve performed an on-site review and received the results of your questionnaire and technical assessment. You have a lot of helpful information, but you’re probably going to want to ask for more documentation from the vendor—let’s say, for example, former audit results.

Now, imagine yourself in the vendor's shoes for a moment. They are not just your vendor—they act as a vendor for many other organizations as well. That means they’re probably hounded with information requests regularly and want to minimize the amount of time spent answering security questions. So, they probably have a standard approach to how they handle these requests. Perhaps they’ve already hired a firm to come through and run tests and audits so they can hand that information out when they begin vending to another company.

This is where the common security phrase “trust, but verify” comes into play. If a vendor sends more documentation for your review, that’s great. But it’s up to you to substantiate their claims.

#6: Continuous Monitoring

Every step you’ve taken to this point is incredibly important. In fact, many vendor risk management programs stop after step four. However, every step you’ve taken up to this point is only giving you a simple snapshot of vendor health. This snapshot is undoubtedly important, but it simply does not allow you to see what is happening in the vendor’s network environment in real time. Remember—there are organizations suffering from security incidents at this very moment. If an organization has a continuous monitoring solution like BitSight, they’ll be able to take action against a threat right away.

In summary, paying attention to the cyber security posture of your vendors is one of the most important things you can do when you’re getting started with third-party business relationships. From time to time, there will be circumstances that warrant unique questions or a different approach. But, when it comes to most vendor risk assessment methods, it’s better to rely on the expertise and experience of others than reinvent the wheel and do it all yourself.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark We've drilled down into areas that vendor risk management programs leave a little vague. 

Download the guide to see if you've considered these critical areas of vendor risk management.

  

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

READ MORE »

Subscribe to get security news and updates in your inbox.