How To Do Vendor Risk Management

Vendor Risk Management (VRM) isn’t hard, but we interact with organizations every day that have complicated, manual processes, or they’re doing nothing at all.  That complexity typically comes from the lack of regulatory clarity around VRM expectations as well as the lack of enforcement.  What is a business supposed to do?  Good question…

At SecurityStudio, we encourage people to think about defensibility.  Sure, you want to identify trouble vendors early and try to manage their risk, but you will never be 100 percent successful at that.  You want to do everything you can to protect your business from a breach, but you also want to make your business defensible in court when a breach happens.  Defensibility occurs when you follow a consistent process.

So let’s start with the basics:  How do you do VRM?

  1. Follow a consistent process.  Always go through the same process and incorporate VRM as early as possible into the vendor process.  The best time to get information from a vendor is when they are striving to earn your business.  Here’s a good process to follow:
    • Get a list (inventory) of your vendors.  Finance probably has a list.
    • Classify them.  We use 3 buckets: Low, Medium and High risk.
    • Assess the risky ones.  If they’re medium or high risk send them a bunch of security questions.  Solutions include spreadsheet questionnaires, FISASCORE, SOC 2 etc.
    • Make decisions.  Accept them as a vendor, ask them to fix some things first, or outright deny them.
    • Repeat annually.
  2. Make sure you document your process! Write it down so that you are defensible if/when something bad happens. 
  3. Make sure your process allows you to account for all vendors.  Sure, only a small percentage of your vendors are high risk, but from both a compliance and risk standpoint you need to account for all.  Why?  Because if a breach occurs you’ll have to answer to why you didn’t account for all vendors…
  4. Spreadsheets and a manual process are better than nothing.  Many people start this way.  I think this is primarily because there haven’t been good, cost effective VRM tools on the market until recently.  SecurityStudio is a good example of a tool designed for VRM.
  5. Don’t fall for the gimmicks.  Many services (often very expensive) claim to do VRM but they really are just vulnerability scanning publicly accessible, internet facing assets.  Information security is a combination of Administrative, Physical and Technical controls, so vulnerability scanners only offer a partial solution.

VRM isn’t that complicated, but like everything in information security the rules aren’t as clear as you’d probably like and everyone is trying to sell you a different version of a solution.  SecurityStudio simply tries to lay out a thought process that makes sense to most people.  If you like the process above, we hope you’ll take a look at SecurityStudio.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *