Vendor Risk Management (VRM) isn’t hard, but we interact with organizations every day that have complicated, manual processes, or they’re doing nothing at all. That complexity typically comes from the lack of regulatory clarity around VRM expectations as well as the lack of enforcement. What is a business supposed to do? Good question…
So let’s start with the basics: How do you do VRM?
- Follow a consistent process. Always go through the same process and incorporate VRM as early as possible into the vendor process. The best time to get information from a vendor is when they are striving to earn your business. Here’s a good process to follow:
- Get a list (inventory) of your vendors. Finance probably has a list.
- Classify them. We use 3 buckets: Low, Medium and High risk.
- Assess the risky ones. If they’re medium or high risk send them a bunch of security questions. Solutions include spreadsheet questionnaires, S2SCORE, SOC 2 etc.
- Make decisions. Accept them as a vendor, ask them to fix some things first, or outright deny them.
- Repeat annually.
- Make sure you document your process! Write it down so that you are defensible if/when something bad happens.
- Make sure your process allows you to account for all vendors. Sure, only a small percentage of your vendors are high risk, but from both a compliance and risk standpoint you need to account for all. Why? Because if a breach occurs you’ll have to answer to why you didn’t account for all vendors…
- Spreadsheets and a manual process are better than nothing. Many people start this way. I think this is primarily because there haven’t been good, cost effective VRM tools on the market until recently. SecurityStudio is a good example of a tool designed for VRM.
- Don’t fall for the gimmicks. Many services (often very expensive) claim to do VRM but they really are just vulnerability scanning publicly accessible, internet facing assets. Information security is a combination of Administrative, Physical and Technical controls, so vulnerability scanners only offer a partial solution.
Vendor risk management isn’t that complicated, but like