Posts

This is an interesting dilemma, and a question I hear regularly.  It goes like this:

“We have a lot a vendors that don’t want to fill questionnaires out at all.  What do vendors think of SecurityStudio?”

My answer to this is always the same…

3 or 4 years ago, when vendor risk management programs were largely nonexistent, vendors would push back on security questionnaires.  They would dodge, avoid, argue irrelevance, hide, ignore, answer cryptically, lie (in some cases, yes they do), get answers wrong, etc.  Basically everyone was trying to avoid having to fill out any information about security programs.

Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare orgs, finance, etc.  We’re a vendor, and we expect our customers to ask us about our security. 

So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me. 

There are only a few reasons for not being forthcoming to a customer or prospect:

  • What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
  • The vendor is a big enough company that they don’t need to respond to prospective customers.
  • A security program isn’t in place or the vendor doesn’t know how to answer the questions.

Each scenario is bad for me as a risk manager:

  • Even if you say you’re highly secure, it’s my responsibility to make sure.  So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing.  From my side, I can’t just take their word for it.  So give me something.
  • Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
  • If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.

When deciding if you should “fire” a vendor, there are many things to consider:

  • Someone in your organization likely wants to do business with this vendor.
  • It could be a significant deal for your organization.  That adds pressure to push them through.
  • How significant is the risk and what could happen to you if they get breached?

There are many more factors obviously, but the point is that it is usually extremely hard to fire a vendor that the business wants to work with.  If you have the authority to pull that trigger, then I would advise using it sparingly.  We enlist the business to help us get the assessment results back if needed, and we prefer to push them into remediation rather than firing them.  SecurityStudio makes remediation really easy, so we prefer to just build remediation plans they can work on.  That way everyone is winning!

I would only fire a vendor if all these questions get answered “yes”:

  • They simply won’t give us information.
  • They argue and avoid enough that they give me the sense that they don’t have a security program.
  • The business has alternative vendors that they can use, and they are ok with the firing.

Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor.  That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway.  This is more than just CYA, it’s an important part of the partnership between security and the business.  We don’t want to shut them down, we just want to manage our risk.  They have the right to accept the risk of a vendor that won’t cooperate.  (document, document, document)

The feedback we get regarding vendor willingness to use SecurityStudio has been really good.  Yes, we have definitely seen the same types of patterns (avoidance, arguing, ignoring) but that’s what SecurityStudio is built to overcome.  Automated reminders, questions written in common language, an appealing interface, etc. all contribute to a positive experience for vendors too.  So yes, they have to do something, but the feedback we’re getting is that vendors like the way SecurityStudio works for them. Make it easier for yourself and company, and schedule your demo for SecurityStudio today!

What it is, why you need it, and how to use it.

You might be thinking something like:

“Meh! We don’t need another policy that nobody will read! Policies are a waste of time, especially a Vendor Risk Management Policy!”

I get it. People aren’t thrilled by policies. They’re not exciting. They’re not fun either. For some, policies can even be painful.

Policies get a bad rap. Not because they’re evil or anything, but because people rarely use them well. The fact is, information security policies play a very important role in supporting all information security efforts, and a vendor risk management policy plays a very important role in supporting our vendor risk management efforts.

I don’t like wasting people’s time, so I’ll get right to the point. Most policy problems are founded in the confusion about what a policy is, why they need one, and how they should be used. So, let’s address this as simply as possible. After all, complexity is the enemy of good information security (remember this always).

NOTE: In some organizations, vendor risk management and third-party information security risk management have slightly different meanings. Third-party information security risk management is part of a greater vendor risk management effort. For the purposes of this article, we’re using vendor risk management and third-party information security risk management synonymously.

What a Vendor Risk Management Policy is

The “what” for any policy are the rules. Think of this in terms of a game. A policy defines the rules for the game. A vendor risk management policy defines the rules for the vendor risk management game. Simple.

If you’ve never played the vendor risk management game before, this could be a difficult policy for you to define. If this is you, ask someone you trust for help. Here are two options for you right now:

  1. You can download our template. Change the rules to fit the game that you’re willing to play and make it yours.
  2. Contact SecurityStudio – The experts at SecurityStudio will make sure you get all the answers you need.

There are some typical structural things that should found in every policy, including this one. Policies should contain a purpose statement, note the audience for the policy, the policy status (draft, approved, adopted, etc.), version, date, the policy itself (the rules), references (to standards and/or other documentation), enforcement intentions, and version history.

Your game, your policy. Don’t expect someone else’s policy to fit as-is, and don’t include rules that you don’t intend to play by.

Why you need a Vendor Risk Management Policy

If the “what” for policy are the rules, the “why” for policy is communication. Policies are used to communicate the rules to others. You don’t need a policy if you don’t have anyone to communicate the rules to. Good news, right?

Before you rejoice, it’s very unlikely that you have no one else to communicate the rules to. There’s almost certainly someone else who needs (or wants) to know the rules.

Think about who needs to know the rules for your vendor risk management game. The list could include:

  • Anyone else within your organization that participates in vendor risk management activities.
  • Anyone who’s interested in your organization’s vendor risk management activities (examiners, regulators, partners, etc.)
  • Anyone who’s ultimately responsible for your organization’s vendor risk management activities, including executive management and the board of directors (if one exists).

The more people who need to know about your rules, the more important the policy becomes. In a small organization where there is a single person who does all the vendor risk management activities, there’s less importance. Not “no” importance, just less importance.

How to use a Vendor Risk Management Policy

Once you’ve written a policy, it’s time to figure out how to use it. Every policy, including this one, must be approved, communicated, adopted, and adjusted (or revised). This is a policy lifecycle that is well understood by most.

  • Draft – The policy is drafted (as v1 in new policies, as incremented version in subsequent cycles).
  • Approve – The policy must be approved by someone with authority (executive management, BoD, etc.).
  • Communicate – The policy must be communicated to all personnel who are affected by it.
  • Adopt – Gap analysis (or audit) coupled with plans and projects to ensure compliance.
  • Review/Revise – Periodic (and regular) review of policy, suggested edits move forward.

Policies are reference documents and should be written this way. Let’s go back to our game comparison.

When you sit down with friends to play a new board game, how many people read the rules? Just one, and this is the de-facto person who oversees the game. How many people should read your policies (rules)? Just the person (or group) who oversees the game. As the game is played, the rules are referenced whenever a question comes up. Same goes for policies.

That’s it. Simple. Define the rules for vendor risk management, communicate the rules, and manage the rules. Vendor risk management policy in a nutshell.

Having a policy in place is great, but also having a workflow that evaluates all third-party vendors and brings your weakest links to the surface is even better. Schedule a demo with us today to get your easy-to-use vendor risk management program.

Vendor Risk Management (VRM) conjures up all manner of interpretation. As a business leader, I’m concerned with all aspects….

  1. Are my vendors financially stable enough to fulfill our agreements?
  2. Are my vendors operationally capable of fulfilling our SLA’s and contractual requirements?
  3. Are my vendors doing enough to protect the data I’m sharing with them?

Numbers one and two are easy to measure and offer a mathematically sound position by which vendors may be held accountable. Number three scares me.

What are we to do in the face of daily news, very public and embarrassing news, of vendors’ indiscretions leading to the breach of sensitive information? More questions lead to more questions and on and on it goes.

As a company on the rise, including an ever-growing number of vendors and third-parties in the ecosystem, the need to do due diligence on data protection is ever increasing. Here’s the thing – it doesn’t have to be technical or out of reach if you’re not a technically-minded person. Understanding risk is the lynchpin to the process.

Defensible Position

Defensible position is the mantra of VRM. Say it with me – “Defensible Position.”

Start here – put ALL of your vendors through the same wringer. When doomsday (a breach) happens, the only defense you have is that a process was followed and that exceptions to that process were minimal and for a VERY good reason.

Example:

  • Jerry’s lawn service handles landscaping services for your business. Jerry and his team never set foot into your office, they just mow the lawn and keep the flowers alive. Still, Jerry should be able to withstand a brief questioning of the nature of your relationship be filed under the “low risk” designation and put into a queue to review in a year. If, by next year, Jerry is also providing maintenance services INSIDE your building, you should ask more questions because Jerry and his team may have physical access to information they didn’t have before. Make sense?

Jerry’s likely not a risk if he’s outside your doors. He’s a potential HUGE risk once he has access to the office. Keep an eye on that with a standard process to reevaluate all vendors like Jerry on (at least) an annual basis.

Assess

Once you’ve put your vendors through the “smell test” of risk (officially called ‘classification’) then move onto assessing whether or not they are doing the right things with their access to your information. There are a number of ways to do this, but in the interest of being in a DEFENSIBLE POSITION, make sure all vendors of a particular classification (high, medium, critical, etc.) get the same assessment.

Lawyers love words like “assume, thought, maybe, about, approximately, etc.” so eliminate that possibility. By measuring your vendors with the same ruler, you take subjectivity out of the equation. Starting to see the advantage, here?

You cannot protect yourself from breach. There, I said it. The skill and nature of the “bad guys” is such that total immunity is impossible. Accept that and move on to managing the risk of the situation. What is the likelihood of a breach? How bad would it be if you were breached? If you don’t have math to lean on for answers to those questions, you’re VRM (and overall security strategy) is inadequate. Period.

Five years ago, achieving a well-measured VRM program was incredibly expensive and often reliant on specialized expertise that was in increasingly short supply. Times have changed and there are options out there that have real effectiveness, such as SecurityStudio , which automates the process and put you in a defensible position.

So, now you’re in a defensible position and at least feel good that you’re doing what’s expected and being responsible. But, there’s a greater responsibility…

Help your vendors practice better security. You’re in a position to help the organizations who wouldn’t naturally care about security. Put the basics in place to better protect themselves and you. VRM is a GREAT way to lead your suppliers to best practices while also protecting yourself in a more effective way. It costs you nothing and has (potentially) enormous benefits.

The soapbox if officially unattended. To recap…

  1. Get all of your vendors in a common process.
  2. Rank your vendors according to the same criteria.
  3. Assess your vendors’ security and get some math around their risk to you.
  4. Help your vendors get better – don’t just point out problems and wish them luck.

Please get in touch with me, John Harmon, if you have any questions. There’s a lot of uncertainty and lip-service out there trying to profit from your uncertainty. Lean on people who have the experience and the propensity to serve to help you with VRM, or any other security concerns you have. The good guys are within reach and ready to help.

For an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

A common theme for many organizations is that they don’t have time to do third-party information security risk management, or they don’t have the time to do it right. There are so many competing initiatives in an information security professional’s life, I get it. Do you have a case for not prioritizing third-party information security risk management, or not prioritizing it higher?

Let’s use logic to figure this out together.

NOTE: Notice I use the words “third-party information security risk management” in place of “vendor risk management”, this is because I think one is a little more accurate than the other. Third-party information security risk management usually fits within the scope of a larger vendor risk management program. For this article we’re going to focus on third-party information security risk management.

Three primary questions come to mind when thinking about the importance of third-party information security risk management:

  1. Is there a problem with NOT doing third-party information security risk management?
  2. If so, how big is the problem?
  3. What should you do about it?

Is there a problem?

So, you’ve got other priorities that prevent you from assessing and managing information security risks related to your vendor/third-party relationships. The fact that you have other priorities isn’t a problem, it’s reality. The fact that you may not be prioritizing third-party information security risk management, or that you may not be prioritizing high enough, could be a big problem.

Inherently, I know two things when it comes to third-party information security risk management:

  1. Nobody cares about the security of my information more than I do.
  2. Third-parties are the cause (directly or indirectly) of most known data breaches.

Nobody cares about the security of my information more than I do.

You know this is true, right? You spend thousands of hours, and many dollars trying to implement and manage good security controls within your organization. You’ve developed sound policies, worked tirelessly to make sure people are trained and aware of good security practices, you’ve spent thousands (maybe millions) on expensive technological controls like firewalls, intrusion prevention, data loss prevention, endpoint protection, and on and on.

You use third-parties to provide certain services to your organization. Maybe printing, maybe hosting, maybe IT support, who knows? Do you think the third-parties you use have spent the same amount of effort in protecting your information? Is thinking they’re protecting your information the same way you are, good enough? Play it out. Stay with me on the logic here.

We know that no matter what we do, we cannot possibly prevent all bad things from happening. We cannot eliminate risk, but risk elimination isn’t the goal anyway. Risk management is the goal and it’s the only thing that’s even remotely attainable.

Let’s say a vendor loses your information (this is more likely than you know, read the next section). Or, let’s say that an attacker gains access to your information through some sort of access that we’ve granted them. What happens next?

You conduct an investigation. Maybe there are lawyers involved. Maybe there’s customer data involved. Maybe you’re not sure. One thing is for certain, somebody isn’t going to happy. When the right (or wrong) somebody isn’t happy, somebody else needs to pay. The unhappy “somebody” might be a customer or group of customers, a government regulator, or the board of directors. The unhappy “somebody” might be all of the above.

The unhappy somebody is going to want answers. What answers do you think they’re going to want? They’ll want answers to questions like:

  • Did you know that your vendor was doing x, y, and z?
  • Did you ask how the vendor was protecting our information?
  • What sorts of questions did you ask the vendor about protection?

The quality of your answers will often dictate what and how much you’ll have to pay. No answers or bad answers will cost you more. Somebody almost always pays when something bad happens, the degree to which they pay, will largely be dependent on what answers they’ll have to defend themselves. This, in a nutshell, is defensibility.

Can ignorance be defensible, claiming you didn’t know any better? Short answer is “no”. The reason is outlined in the next section.

Third-parties are the cause (directly or indirectly) of most known data breaches.

Soha Third-Party Advisory Group conducted a study (Source: http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm) last year that concluded the following; “third parties cause or are implicated in 63 percent of all data breaches.” You might be skeptical of this number, but the Soha Third-Party Advisory Group consists of some heavy-hitters in our industry, security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec. I didn’t write the study, but I believe that much of the findings represent the truth.


Soha Third-Party Advisory Group

Can you claim you didn’t know better? When you’re tasked with answering the inevitable questions that are coming your way after a breach, do you really think you can claim you didn’t know?

To compound our ignorance as a defense problem, are the following facts:

Third-party data breaches are on the rise, at least in the United States. A study by Opus concluded the “percentage of companies that faced a data breach because of a vendor or third party was higher at 61 percent, which is up 5 percent from last year and 12 percent from 2016”. (Source: https://www.pymnts.com/news/security-and-risk/2018/third-party-data-breaches-cybersecurity-risk/)

A study conducted by Kaspersky Lab concluded that the costliest data breaches are those that involved a third-party, especially for small to medium-sized businesses (SMBs). (Source:  https://mobile.itbusinessedge.com/blogs/data-security/breaches-from-third-parties-are-the-costliest.html)

Opus & Kaspersky Lab

Do you need more justification for re-prioritizing third-party information security risk management? Maybe you run a security program based on compliance, only doing what you’ve been told to do. This isn’t a good idea because information security is about risk management, not compliance, but let’s say it’s the way you do things anyway. Compliance is king. What if I told you that regulators and examiners are aware of the risks, and they read the same news we do. They are increasing the pressure around third-party information security risk management, and they’re losing patience with organizations that haven’t taken the risk seriously. It’s better to get ahead of this curve now.

Back to our original question; Is there a problem with NOT doing third-party information security risk management? My opinion, using the logic we’ve outlined together, is “yes”. There is definitely a problem with you NOT doing third-party information security risk management.

Are you convinced that you need a third-party information security risk management solution? If so, let’s figure out the right solution. If not, we’ll still be here to help when you become convinced. I promise.

How big of a problem is it?

Our next question was how big of a problem is it, meaning how pervasive is the third-party information security risk management problem in our industry? I promise to provide a short answer.

At a macro-level, relying on my unscientific observations from working with (up to 1,000) clients and discussions with other information security professionals, I would estimate that as many as 90% of the companies ranging in size from 20 – 30,000 employees do not have a third-party information security risk management program of any substance (or formality).

The problem is big in our industry. I would caution against using this as justification for not have your own (program); however. The herd mentality seems to be less and less defensible too.

Our last question: what you should do about it (meaning third-party information security risk management)?

What should you do about it?

For your own good, hopefully I’ve convinced you that not doing anything or deferring this issue until it becomes a higher priority, is not a good option. If not, like I stated previously, we will be here for you when you change your mind.

A well-designed third-party information security risk management program fits the following characteristics:

  1. It’s not disruptive to the business. After all, your business is in business to make money (and/or serve a mission). If information security gets in the way, you’ve got problems.
  2. It’s measurable in a way that you can show progress. Going from nothing, or next to nothing, to a fully implemented third-party information security risk management program is not feasible or encouraged. A solution that allows for gradual adoption over time is the right way to go.
  3. Doesn’t take shortcuts. The definition of information security accounts for administrative, physical, and technical controls. Only accounting for technical controls isn’t going to cut it, especially when we consider the fact that your most significant risk is people.
  4. Organized, standardized, and repeatable. These things make your program scalable and useable. The way to accomplish this is to automate all parts of the program that can be automated, without taking shortcuts.
  5. Intuitive, easy to use, and easy to understand. Third-party information security risk management shouldn’t be rocket science. A well-designed third-party information security risk management solution should be logical, so much so, that you don’t need vast amounts of experience and expertise to run it.

We specifically designed SecurityStudio to fit all the criteria necessary in a best-in-class third-party information security risk management platform. We did so by using more than a combined 100 years of information security experience, and at a reasonable price that doesn’t unnecessarily take away from your other competing information security priorities.

I invite you to speak to a SecurityStudio representative about how SecurityStudio will work for you. Schedule a demo too while you’re at it!

As mentioned in Phase 2 – Classification, High and Medium impact third parties need to be assessed for residual risk. Residual risk is another term that isn’t common to all people, so we’ll define it. Residual risk is the amount of risk that remains (residual) after the consideration of controls that are in place and any applicable threats. Residual risk assessments attempt to validate, qualify, and/or quantify risk related to threats and vulnerabilities, using inherent risk as a base input.

The first place to check for residual risk is an assessment that the third party may have already completed; an assessment that is high quality, fits our definitions of “information security” and “risk,” and represents risk. For SecurityStudio, this is the FISASCORE®. The logic is simple: Does the third-party have a current FISASCORE or not?

Current Acceptable FISASCORE

If the third party has a current FISASCORE, then Phase 3 – Risk Assessment is complete for now, and the score is evaluated as part of Phase 4 – Risk Treatment. A threshold for FISASCORE must be set by the organization, and an automated comparison is made.

FISASCORE is calculated on a scale between 300 – 850, with 300 representing an infinite amount of risk and 850 representing no risk at all. Obviously, it’s not possible to have infinite risk or no risk, so all FISASCOREs fall between the range. Organizations that have not defined a specific threshold will typically accept a default FISASCORE of 660.

If the FISASCORE is acceptable, meaning it meets or exceeds your threshold, then the process is complete for you and the third party. That’s it!

If the FISASCORE is not acceptable, meaning it does not meet your threshold, then the process remains in Phase 3 – Assessment for next steps. An unacceptable FISASCORE follows the same process as not having a FISASCORE at all.

No Current Acceptable FISASCORE

Third parties that do not have a current FISASCORE and third parties that do not have an acceptable FISASCORE will receive a questionnaire that is commensurate with the level of inherent risk they pose to the organization. Third parties that are classified as High receive the High Residual Risk Questionnaire, and third parties that are classified as Medium receive the Medium Residual Risk Questionnaire.

All notifications to third parties are managed by SecurityStudio so that administrators don’t need to track and manage follow-up tasks.

All questionnaires are completed via an authenticated and secure online portal provided to the third-party provider.

High Residual Risk Questionnaire

By default, the High Residual Risk Questionnaire leverages simliar criteria* used in calculating the FISASCORE. This is important for (at least) five reasons:

  1. Validation of the questionnaire will result in a genuine FISASCORE that can be reused in other applications.
  2. The common set of criteria allows for better comparisons and consistent baselining across all third parties.
  3. Deliverables from the FISASCORE can be used to build the third-party security program and/or identify the greatest areas of concern accompanied by actionable recommendations. The FISASCORE provides value to the third party in this way.
  4. For the most impactful third parties, a FISASCORE can be validated by personnel who are certified by SecurityStudio® to complete validations. This ensures consistency across organizations who use SecurityStudio and FISASCORE.
  5. Validation of the FISASCORE can be done using in-house personnel, through SecurityStudio, or through any of the SecurityStudio partners. Today there are more than a dozen SecurityStudio partner organizations who are certified to perform validations.

Medium Residual Risk Questionnaire

By default, the Medium Residual Risk Questionnaire leverages the same criteria used in the calculation of the FISASCORE Estimator. The FISASCORE Estimator is a freely available assessment provided to anyone online and is also built into SecurityStudio. The important reasons why we’ve chosen to use the same criteria include some of the following:

  1. Any organization, with or without the use of VENDFENSE can get a score that can be leveraged without cost to the third party and be reused for third-party information security risk management if the inherent risk calculation results in a Medium classification.
  2. Ensures consistency within SecurityStudio and all other uses of the FISASCORE Estimator.
  3. The FISASCORE Estimator is an easy, and no-cost introduction to all that FISASCORE is and can be used for.

SecurityStudio FISASCORE

The result of the questionnaire process is a FISASCORE. The score is objective and automatic, and if the third parties are providing accurate and truthful information, the FISASCORE will be a true measurement of information security risk. There are times when you don’t believe that the information provided by the third party is accurate and true. These are times when you might want validation. There are also times when a third party is so critical to the success of your organization that you may want validation too. Regardless of the reason for validation, you are in control.

Now that the third parties have been assessed for residual risk, we move on to Phase 4 – Risk Treatment.

 

*Vulnerability scanning data, crime rate index, and natural threat data is not employed in the High Residual Risk Questionnaire but is used in the full FISASCORE and validated FISASCORE.

Now that you’ve completed your vendor inventory, it’s time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent risk they present to your organization. The term”inherent risk” isn’t necessarily in everyone’s vocabulary, so let’s explain what it is. Inherent risk is the amount of risk that your vendor poses to your company based strictly on how you intend to use them. It’s a very simple process to classify your third-party providers according to inherent risk.  The point in doing this is to make sure we only spend your valuable time, and the valuable time belonging to your partners, on the risks that really matter.

Inherent Risk Questionnaire

The classification process starts with the Inherent Risk Questionnaire. This is a simple questionnaire that is completed by the person within your organization who is responsible for the third-party relationship.  This is usually the person who relies on the third party to complete certain tasks on behalf of your organization, or it’s the person who arranged for using the third party in the first place.

The questionnaire is very simple and straightforward, consisting of less than 10 questions.

VENDFENSE is very flexible and meant for all organizations. We pre-populate the system with default inherent risk questions to include in the Inherent Risk Questionnaire; however, we can also include custom questions.

Classification

Third-party providers are classified according to the inherent risk they pose to your organization. The classification is automatic, based on objective criteria defined and built into the SecurityStudio Classification Scoring System. The responses provided in the Inherent Risk Questionnaire lead to a classification of High, Medium, or Low. You could choose different words or different classifications, depending on your needs. The point is that the classification criteria should be objective, be a representation of inherent risk, and the classification levels you choose should be simple and logical.

A very important reason for classifying vendors according to inherent risk is to support the reasoning that not all vendors should be subjected to the same level of scrutiny because not all vendors pose the same amount of inherent risk.

High and Medium Impact

High and Medium impact (or inherent risk) third parties require additional review.  The third parties that were classified as High or Medium impact are moved into processing at Phase 3 – Third-Party Risk Assessment.

Low Impact

Low impact third parties are not a significant concern for most organizations. The processing of Low impact third parties is done after the classification. Low impact third parties are usually not reviewed again until the next cycle (quarter, semi-annual, annual, etc.)

In some cases, the percentage of third parties who are Low impact risk is as high as 80%. This is important to note. If an organization has 1,000 third parties that they work with, as many as 800 (or more) of these third-parties don’t need any further review beyond the initial inherent risk classification. This also means that there are 800 less questionnaires to keep track of and 800 less third parties that we need to secure.  Also important is the fact that we have demonstrated our due diligence by ensuring that all third parties were classified according to objective criteria.

Once the Classification step is complete, you’re ready to start  Phase 3 – Assessment.

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.

Phase 1 – Vendor Inventory


We can’t effectively protect the things we don’t know we have from the things we don’t know about. Every third party that the organization does business with must be included in the third-party inventory. It’s not that every third party poses a significant risk, it’s that we must show our due diligence regardless.

Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.

The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.

There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.

Vendor Inventory

Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:

  • Third-party providers who are sending you invoices
  • Third-party providers who are being paid with a corporate credit card
  • Third-party providers who are paid by an employee who is being reimbursed for the expense.

Vendor Onboarding

Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.

Once the Inventory and Onboarding steps are complete, you’re ready to start  Phase 2 – Vendor Classification.

The topic of vendor risk management (VRM) is on the lips of nearly every CISO, IT Director, CTO/CIO and business owner in the country, and with good reason. Security breaches have reached near epidemic proportions and businesses don’t need to just worry about data being stolen. The real issue is what happens after the breach occurs when regulators, lawyers, and your own customers come after your business, trying to determine who is at fault for the breach.

Using third-party vendors adds another layer of complexity to finding the source of the breach, but even though it may have been the fault of the vendor, your business could still be liable. It’s critical to both track and monitor all vendors with a good VRM program and also classify them as low, medium or high risk so you can focus on those vendors that pose the most risk to your business. This business-critical process can help keep you out of hot water in the event of a third-party breach, but how do you know if your business is ready for a VRM program?

Use our quick guide below to determine if you should invest in a VRM program:

For a free demo of SecurityStudio, the vendor risk management tool that can help your business become simplified, standardized, and defensible, sign up.

Despite vendor-caused breaches being common, organizations still struggle to handle vendor risk management practices properly. We can use organizations who have experienced vendor breaches to improve our own information security programs and strategies. Here is how the Target breach from 2013 can provide a roadmap for your organization.