In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.
Phase 1 – Vendor Inventory
We can’t effectively protect the things we don’t know we have from the things we don’t know about. Every third party that the organization does business with must be included in the third-party inventory. It’s not that every third party poses a significant risk, it’s that we must show our due diligence regardless.
Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.
The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.
There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.
Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:
- Third-party providers who are sending you invoices
- Third-party providers who are being paid with a corporate credit card
- Third-party providers who are paid by an employee who is being reimbursed for the expense.
Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.
Once the Inventory and Onboarding steps are complete, you’re ready to start Phase 2 – Vendor Classification.