What is third-party information security risk management?
Third-party information security risk management (“TPISRM” or vendor risk management for short) is a critical component for ALL information security programs. You cannot adequately account for information security risk without also accounting for TPISRM.


TPISRM isn’t new. Some organizations have been doing it for a long time. Mostly larger companies (with adequate resources) driven by compliance requirements. In the early 2000s, I worked on TPISRM for a few Fortune 500 companies and saw first-hand how things were done.

In 2013, TPISRM took center stage when Target Corporation became aware of a significant data breach involving one of their third-party providers (Fazio Mechanical). This was one of the most publicized cybersecurity breaches of all time because of the timing (holiday season), the number of people affected (110 million+), and the fact that Target is one of the largest retailers in the world.

One of the many lawsuits that stemmed from the Target breach was a derivative action where shareholders filed suit against Target’s board of directors, essentially Target suing Target. When this happens, the court appoints a special litigation committee (SLC), and this is where I fit in again. I was retained by the SLC to assist and consult them[1] [2]. What does this have to do with TPISRM? A lot! Vendor risk management program (or lack thereof) played a critical role in the breach.

Unfortunately, not enough has changed since then:

  • 66% of security professionals think that it’s possible or definite that they suffered a breach through third-party access[3]
  • Roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third-party.[4]
  • Third-party breaches and security incidents are more costly than ever, especially for smaller organizations.[5]
  • Only 52% of the companies in the United States have security standards for third-parties.[6]

TPISRM is more important than it’s ever been, and if you’re waiting for someone else to make you do it, it will be too late. Whatever you do, don’t half-ass this.

Three things before we jump into the “must-haves”:

  1. TPISRM can be done right and inexpensively, even in smaller organizations.
  2. You must engage in TPISRM, either now or later. “Now” hurts less.
  3. If you’re going to do TPISRM (which you’d better), make sure you do it right.


Quick SecurityStudio Introduction

SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.

The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy-to-use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.

Our tools:

In this document, we’ll discuss things related to S2Score, S2Org, and S2Vendor, but don’t worry, I won’t get salesy. I want you to get value from reading this more than I want to sell you something.

Alright, the seven “must-haves” for TPRISM.

7 Must-Haves for Effective Third-Party Information Security Risk Management

Must-Have #1 – Adequate Coverage

Your TPISRM MUST account for administrative, physical, and technical risk.

The most tempting place in TPISRM to take shortcuts is to treat it like it’s a technical or IT issue. DON’T! It’s not! It’s a business issue and to treat it as anything else will be done at your own peril.

Effective TPISRM practices MUST account for administrative, physical and technical risks. Isn’t it easier (and more likely) for an attacker to go through a secretary (or another person) than it is to go through a firewall, and who cares about a firewall when an attacker can just steal the server? This is truth. I know it. You know it. Certainly, attackers know it too.

Technical controls are part of TPISRM. Technical controls are not TPISRM in its entirety. Slight, but significant difference. Scans are good, but they won’t tell you squat about a third-party’s employee training program, asset management practices, onboarding/offboarding processes, access control procedures, server room security, etc., etc.


Must-Have #2 – Automated Workflows

Using manual processes with spreadsheets and calendars is error-prone, costly, and ineffective.

The only people who claim spreadsheets are the way to do TPISRM have either never done TPISRM or they’re stuck in the dark ages (“this is the way we’ve always done it”). Not only is using spreadsheets a pain in the butt, it’s expensive and ineffective.

There’s a much better way! Use an automated workflow where TPISRM processes (inventory, classification, assessment, remediation, etc.) are programmatic. If you’ve got money to waste, you could build your own automated workflow tool, but a better choice is probably using a commercial tool. Automated workflows ensure that everything is tidy and easy to manage. If you’re handling any more than one or two third-party relationships, an automated workflow is a must.

Another fact; there is a demonstrable ROI in using an automated workflow versus using manual processes.


MUST-HAVE #3 – Distributed Workloads

No single person knows enough about all vendor relationships to be effective.

The wrong way to handle TPISRM is to name a “TPIRSM Manager” or “Vendor Risk Manager” and leave everything to them. It’s unlikely that this person engaged the third-party in the first place, understands how the organization uses the third-party, and/or maintains the relationship with the third-party.

For each third-party relationship, there’s someone who’s responsible for the relationship. We sometimes call this person the “relationship manager”. These people must be involved in the TPISRM process. The best place for this person/group to be inserted into the TPISRM process is usually:

  • Third-party inventory management – validating that the third-party is still engaged by the organization.
  • Vendor contact maintenance – validating that the third-party’s contact information is valid.
  • Inherent risk determination (or classification) – validating how the organization uses the third-party, including the nature of the products or services provided.

If you’ve addressed the first two “must-haves” in our list, ensure that the tool you use will enable or facilitate participation from other people and groups. A shared workload makes everything better.


MUST-HAVE #4 – Quantification

It’s easier to defend a process or system than it is to defend your judgment.

Regardless of how good you get at TPISRM, a bad thing (breach, disruption, or whatever) will eventually happen. No matter what you do, you cannot prevent all bad things from happening, but that’s not the point anyway. Risk elimination is impossible. Risk management IS possible, and it’s the objective.

The truth is, at some point you’ll need to defend your TPISRM program from someone, and they’ll probably question your judgement. It might be the board of directors, a regulator, a customer, or (God-forbid) opposing legal counsel. Somebody, somewhere, is going to question what you’re doing.

Quantification helps take your judgement out of the equation, and quantification comes through measurement. Quantification allows you to make comparisons between third-parties and set thresholds of acceptable risk. Setting a threshold of acceptable risk is easier to defend because you hold all third-parties to the same standard. One-off and arbitrary decision-making will be much harder to defend.

I have trouble remembering what I did last weekend let alone a decision I made in February of last year.

Adding to defensibility is using a tool, process, and/or risk threshold that’s used by others. There’s (some) safety in the herd.


MUST-HAVE #5 – Objectivity

Binary (1 or 0) decisions are more efficient, easier to defend, and scorable.

Which question is more efficient, easier to defend, and scorable:

  • Tell me about your information security program? OR
  • Do you have a documented information security program?

How about these:

  • How do you train your employees? OR
  • Do you train your employees?

Binary (1 or 0, “yes” or “no”, etc.) questions are objective and create a much better measurement/quantification than do subjective, open-ended questions. The downside to objective questions is the to ask more of them. Once someone answers “Do you train your employees?”, we’ll need to ask more binary questions about the training.

Using objective criteria will also reduce the need for interpretation where two people can look at the same subjective/open-ended response and interpret in completely opposite ways. Subjectivity steals the efficiency and defensibility out of our TPISRM program.


MUST-HAVE #6 – Inventory Management

Garbage in, garbage out.

The entire TPISRM process starts with your inventory of third-party relationships. It’s the first step. There’s the initial inventory and ongoing inventory management.

Build your initial inventory by checking who you’re paying, either through invoices, credit card payments, or employee reimbursements. Chances are good that you’re paying your third-parties in some manner, so Accounts Payable (or similar) is a great place to start.

In order to keep your inventory current, the “ongoing inventory”, you’ll need to determine how important it is for you to maintain a live inventory or if a periodic third-party inventory reconciliation is good enough. The answer should be a function of the churn in your third-party relationships. If third-parties come and go often, then there’s more justification for the live inventory approach. In a live third-party inventory scenario, you’ll need to make sure your third-party engagement/procurement/enrollment process is tightly-integrated with your TPISRM processes. Maybe you don’t pay any third-party until they’ve been assessed for cyber risk.

Periodic reconciliation consists of validating your inventory periodically, maybe on an annual basis.

A good TISRM tool accounts for all the “must-haves” here, including assistance with third-party inventory management. Entering third-party information one-by-one is fine but becomes a real pain when you have many third-parties to enter. A great feature is the ability to upload third-party information in bulk and a potential integration through APIs with other enterprise systems.


Must-Have #7 – Simplified Processes

Complexity is the enemy of information security.

Your TPISRM process shouldn’t consist of any more than four primary steps. If it’s more than four steps, you might be making this harder on yourself. The four steps are Inventory, Classification, Assessment, and Decision-Making. That’s it.

In some cases, you may need to repeat steps, but it’s still only four steps. For instance, you may decide (Decision-Making) that the risk posed by a third-party is unacceptable. In this case, you could decide to remediate, which will then lead back into the Assessment step.


BONUS: Third-Party Risk Assessment/Questionnaire Re-Use

Everybody hates filling out dumb questionnaires.

I have yet to meet anyone who enjoys filling out TPISRM questionnaires from their customers. If I did, I’d question their sanity. Filling out questionnaires is a waste of time. There are three ways we can make this more enjoyable and usable for everyone.

  1. What if we made the questionnaire into an organization’s information security risk assessment?
  2. What if an organization’s own/internal information security risk assessment could be used in lieu of a questionnaire?
  3. What if we reused a questionnaire that a third-party completed for someone else?

Yes, yes, and yes please!

On the SecurityStudio platform we’ve developed two effective, best practice, and simple tools to enable all the “must-haves” in this document, and significantly reduce wasted time, effort, and money for your third-party friends. By reusing assessments and questionnaires, you’ll get better results in your TPISRM efforts and your third-parties will sincerely appreciate having to do less work!

The tools are S2Vendor and S2Org.

S2Vendor is our best-in-class TPISRM tool for organizations of all shapes and sizes. S2Org is the best organizational information security risk management tool for vendor performance regarding security anywhere. Combined, there are no other solutions that compare!

Let’s demonstrate how these tools work together.

  1. A third-party who completes an S2Vendor questionnaire can use the same information to manage their information security program with a simple click of a button. The click of the button imports their responses into their own (private) S2Org portal where they can track results, print reports, create a roadmap (risk treatment plan), manage the roadmap, and much more! Not only can the third-party use this information to improve their security program in a measurable way, but they’re also more inclined to provide truthful answers to you as their customer.
  2. There are more than 3,000 organizations who already use the SecurityStudio platform and S2Org for information security risk assessments and management. Rather than having to complete another tedious questionnaire, an S2Org user can just choose to share their assessment (or resulting S2Score) with the S2Vendor user (you).
  3. If an S2Vendor third-party risk assessment has already been completed on behalf of a vendor by someone else, rather than completing another assessment, you can allow them to confirm and reuse one that they’ve already completed. This saves you the headache of dealing with pushback and saves your third-party vendors a lot of time.

In Closing

There you have it. If you want to build a TPISRM practice/program the right way, these are seven things that you must have. Short cuts, manual processes, bottlenecks, subjectivity, gaps, and complexity must all be accounted for and taken out of the equation. If you’re into these things, well, that’s too bad. They’ll eventually come back to haunt you.

All the best.
Evan Francen CEO


Estimate your score or book free demo today

As mentioned in Phase 2 – Classification, High and Medium impact third parties need to be assessed for residual risk. Residual risk is another term that isn’t common to all people, so we’ll define it. Residual risk is the amount of risk that remains (residual) after the consideration of controls that are in place and any applicable threats. Residual risk assessments attempt to validate, qualify, and/or quantify risk related to threats and vulnerabilities, using inherent risk as a base input.

The first place to check for residual risk is an assessment that the third party may have already completed; an assessment that is high quality, fits our definitions of “information security” and “risk,” and represents risk. For SecurityStudio, this is the S2SCORE. The logic is simple: Does the third-party have a current S2SCORE or not?

Current Acceptable S2SCORE

If the third party has a current S2SCORE, then Phase 3 – Risk Assessment is complete for now, and the score is evaluated as part of Phase 4 – Risk Treatment. A threshold for S2SCORE must be set by the organization, and an automated comparison is made.

S2SCORE is calculated on a scale between 300 – 850, with 300 representing an infinite amount of risk and 850 representing no risk at all. Obviously, it’s not possible to have infinite risk or no risk, so all S2SCOREs fall between the range. Organizations that have not defined a specific threshold will typically accept a default S2SCORE of 660.

If the S2SCORE is acceptable, meaning it meets or exceeds your threshold, then the process is complete for you and the third party. That’s it!

If the S2SCORE is not acceptable, meaning it does not meet your threshold, then the process remains in Phase 3 – Assessment for next steps. An unacceptable S2SCORE follows the same process as not having a S2SCORE at all.

No Current Acceptable S2SCORE

Third parties that do not have a current S2SCORE and third parties that do not have an acceptable S2SCORE will receive a questionnaire that is commensurate with the level of inherent risk they pose to the organization. Third parties that are classified as High receive the High Residual Risk Questionnaire, and third parties that are classified as Medium receive the Medium Residual Risk Questionnaire.

All notifications to third parties are managed by SecurityStudio so that administrators don’t need to track and manage follow-up tasks.

All questionnaires are completed via an authenticated and secure online portal provided to the third-party provider.

High Residual Risk Questionnaire

By default, the High Residual Risk Questionnaire leverages simliar criteria* used in calculating the S2SCORE. This is important for (at least) five reasons:

  1. Validation of the questionnaire will result in a genuine S2SCORE that can be reused in other applications.
  2. The common set of criteria allows for better comparisons and consistent baselining across all third parties.
  3. Deliverables from the S2SCORE can be used to build the third-party security program and/or identify the greatest areas of concern accompanied by actionable recommendations. The S2SCORE provides value to the third party in this way.
  4. For the most impactful third parties, a S2SCORE can be validated by personnel who are certified by SecurityStudio® to complete validations. This ensures consistency across organizations who use SecurityStudio and S2SCORE.
  5. Validation of the S2SCORE can be done using in-house personnel, through SecurityStudio, or through any of the SecurityStudio partners. Today there are more than a dozen SecurityStudio partner organizations who are certified to perform validations.

Medium Residual Risk Questionnaire

By default, the Medium Residual Risk Questionnaire leverages the same criteria used in the calculation of the S2SCORE Estimator. The S2SCORE Estimator is a freely available assessment provided to anyone online and is also built into SecurityStudio. The important reasons why we’ve chosen to use the same criteria include some of the following:

  1. Any organization, with or without the use of VENDFENSE can get a score that can be leveraged without cost to the third party and be reused for third-party information security risk management if the inherent risk calculation results in a Medium classification.
  2. Ensures consistency within SecurityStudio and all other uses of the S2SCORE Estimator.
  3. The S2SCORE Estimator is an easy, and no-cost introduction to all that S2SCORE is and can be used for.

SecurityStudio S2SCORE

The result of the questionnaire process is a S2SCORE. The score is objective and automatic, and if the third parties are providing accurate and truthful information, the S2SCORE will be a true measurement of information security risk. There are times when you don’t believe that the information provided by the third party is accurate and true. These are times when you might want validation. There are also times when a third party is so critical to the success of your organization that you may want validation too. Regardless of the reason for validation, you are in control.

Now that the third parties have been assessed for residual risk, we move on to Phase 4 of VRM– Risk Treatment.

*Vulnerability scanning data, crime rate index, and natural threat data is not employed in the High Residual Risk Questionnaire but is used in the full S2SCORE and validated S2SCORE.



Estimate your score or book free demo today

Now that you’ve completed your vendor inventory, it’s time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent risk they present to your organization. The term”inherent risk” isn’t necessarily in everyone’s vocabulary, so let’s explain what it is. Inherent risk is the amount of risk that your vendor poses to your company based strictly on how you intend to use them. It’s a very simple process to classify your third-party providers according to inherent risk.  The point in doing this is to make sure we only spend your valuable time, and the valuable time belonging to your partners, on the risks that really matter.

Inherent Risk Questionnaire

The classification process starts with the Inherent Risk Questionnaire. This is a simple questionnaire that is completed by the person within your organization who is responsible for the third-party relationship.  This is usually the person who relies on the third party to complete certain tasks on behalf of your organization, or it’s the person who arranged for using the third party in the first place.

The questionnaire is very simple and straightforward, consisting of less than 10 questions.

VENDFENSE is very flexible and meant for all organizations. We pre-populate the system with default inherent risk questions to include in the Inherent Risk Questionnaire; however, we can also include custom questions.


Third-party providers are classified according to the inherent risk they pose to your organization. The classification is automatic, based on objective criteria defined and built into the SecurityStudio Classification Scoring System. The responses provided in the Inherent Risk Questionnaire lead to a classification of High, Medium, or Low. You could choose different words or different classifications, depending on your needs. The point is that the classification criteria should be objective, be a representation of inherent risk, and the classification levels you choose should be simple and logical.

A very important reason for classifying vendors according to inherent risk is to support the reasoning that not all vendors should be subjected to the same level of scrutiny because not all vendors pose the same amount of inherent risk.

High and Medium Impact

High and Medium impact (or inherent risk) third parties require additional review.  The third parties that were classified as High or Medium impact are moved into processing at Phase 3 – Third-Party Risk Assessment.

Low Impact

Low impact third parties are not a significant concern for most organizations. The processing of Low impact third parties is done after the classification. Low impact third parties are usually not reviewed again until the next cycle (quarter, semi-annual, annual, etc.)

In some cases, the percentage of third parties who are Low impact risk is as high as 80%. This is important to note. If an organization has 1,000 third parties that they work with, as many as 800 (or more) of these third-parties don’t need any further review beyond the initial inherent risk classification. This also means that there are 800 less questionnaires to keep track of and 800 less third parties that we need to secure.  Also important is the fact that we have demonstrated our due diligence by ensuring that all third parties were classified according to objective criteria.

Once the Classification step is complete, you’re ready to start  Phase 3 of VRM – Assessment.



Estimate your score or book free demo today

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.

Phase 1 – Vendor Inventory


Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.

The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.

There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.

Vendor Inventory

Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:

  • Third-party providers who are sending you invoices
  • Third-party providers who are being paid with a corporate credit card
  • Third-party providers who are paid by an employee who is being reimbursed for the expense.

Vendor Onboarding

Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.

Once the Inventory and Onboarding steps are complete, you’re ready to start  Phase 2 of VRM – Vendor Classification.



Estimate your score or book free demo today

The topic of vendor risk management (VRM) is on the lips of nearly every CISO, IT Director, CTO/CIO and business owner in the country, and with good reason. Security breaches have reached near epidemic proportions and businesses don’t need to just worry about data being stolen. The real issue is what happens after the breach occurs when regulators, lawyers, and your own customers come after your business, trying to determine who is at fault for the breach.

Using third-party vendors adds another layer of complexity to finding the source of the breach, but even though it may have been the fault of the vendor, your business could still be liable. It’s critical to both track and monitor all vendors with a good VRM program and also classify them as low, medium or high risk so you can focus on those vendors that pose the most risk to your business. This business-critical process can help keep you out of hot water in the event of a third-party breach, but how do you know if your business is ready for a VRM program?

Use our quick guide below to determine if you should invest in a VRM program:

For a free demo of SecurityStudio, the vendor risk management tool that can help your business become simplified, standardized, and defensible, sign up.



Estimate your score or book free demo today

Despite vendor-caused breaches being common, organizations still struggle to handle vendor risk management practices properly. We can use organizations who have experienced vendor breaches to improve our own information security programs and strategies. Here is how the Target breach from 2013 can provide a roadmap for your organization.

Vendor security risk management is not easy. It’s often a monotonous combination of spreadsheets, questionnaires, following up with people, and uncertainty. It’s often frustratingly tedious, and it can actually cause otherwise strong information security programs to falter. The best relief is to take a three-step approach to vendor risk management. Simplify. Standardize. Defend.


Managing information security risk amongst a population of vendors and third-parties is a complex problem for most organizations, and therefore most organizations either don’t manage vendor information security risk management at all, or they don’t do it well.

Don’t Manage Vendor Information Security Risk at All

There are five common reasons why organizations don’t manage vendor information security risk:

  • They don’t have enough confidence in their own information security program.
  • They don’t have experience managing vendor information security risk; where to start or what it’s supposed to look like.
  • They don’t know what questions or things that they should inquire about.
  • They don’t know who all their vendors are.
  • They have other priorities, and don’t get the time to tackle vendor information security risk management.

Question: Why don’t you do vendor information security risk management?

Don’t Manage Vendor Information Security Well

There are five common reasons why organizations don’t manage vendor information security well:

  • Their vendor information security risk management program is incomplete; missing vendors, missing parts of information security, incomplete questionnaires, no scoring/comparison, shortcut inherent risk and/or residual risk, etc.
  • The vendor information security risk management program is painful to manage.
  • The vendor information security risk management is program is disorganized.
  • The vendor information security risk management program relies too much on subjectivity or opinion.
  • They’re just doing something for the sake of doing something. There’s no commitment to doing it right.

Question: What pains do you experience, or what concerns do you have about your vendor information security risk management approach?


A vendor information security risk management program must be repeatable and standardized. Standardization enables the other two important features (Simplify and Defend). You need to be doing vendor information security risk management first to truly appreciate the value in standardization. A lack of standardization leads to run-away complexity and a program that is not defensible (against litigation, inquiry from regulators, etc.).


Defense comes in two forms:

  • Defense against the breach risk posed by your vendors
  • Defense against the lawyers, regulators, and angry customers if or when a breach occurs.

Defense from Vendors

We know that no matter what we do, we cannot possibly prevent all breaches from occurring. So, where are breaches most likely to occur?  According to a recent study conducted by Soha Systems, 63% of all breaches are attributed to a vendor, directly or indirectly. * It’s hard to deny the fact that a breach occurring through a vendor is one of the most likely breach events. There’s no excuse for ignoring the risks posed by vendors or taking a half-hearted approach to vendor risk.

There are five common mistakes organizations make in assessing risk related to vendors:

  • Vendor information security risk management is primarily done to meet a regulatory requirement or to “check the box.”
  • Shortcut solutions are implemented to assess and manage information security vendor risk.
  • The logic behind the vendor information security risk decisions is not tied to how risk works (inherent risk or residual risk).
  • Vendor information security risks are accepted without a clear understanding of the risks or the most effective methods of remediation.
  • High (inherent) risk vendor responses are not adequately validated.

Question: Where are there gaps in your vendor information security risk management program?

Defense from the Crowd

We already know that the most likely source of a breach is through a vendor. Even if we do everything that we can to reduce this risk, some risk will remain. When a breach inevitably happens, we need a defense against a whole new breed of attackers. Lawyers, regulators, public opinion, and our own customers become our attackers. They want answers and they want retribution.

Our defense becomes something called due care. Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

Nobody expects perfection, but everyone should expect due care. Due care is where defensibility lives, and it’s imperative in our vendor information security risk management program. The question becomes, what would an ordinarily prudent or reasonable party do if they knew a vendor breach was eventual? Not accounting for vendor information security risk is indefensible.

For organizations with vendor information security risk management programs, here are some of the most common reasons why they could be less defensible:

  • Vendor information security risk decisions are subjective— or opinion-based.
  • Seemingly obvious information security risks are not adequately considered.
  • The personnel making risk decisions are not qualified to do so.
  • Roles and responsibilities for vendor information security risk management are not shared amongst qualified groups or are not formally defined at all.
  • The methodology used for vendor information security risk management is not shared by a group outside of your organization, or it is shared by a small group or organizations.

Question: Where is your vendor information security risk management program defensible, and where is it not?


SecurityStudio is the most comprehensive solution to simplify, standardize, and defend. It’s a vendor information security management solution that was built by former vendor risk managers who have walked the walk.

To learn more about how a solution like SecurityStudio can help your vendor information security risk management processes, schedule a demo.



Estimate your score or book free demo today

Most people are relatively aware of the Health Insurance Portability and Accountability Act (HIPAA). It was created to make sure that medical records of patients remain safe, and that the medical providers accessing them are doing their best to ensure that’s the case. When most people think of HIPAA, they often go right to medical providers and hospitals. It’s important to understand that dental providers are also expected to adhere to HIPAA requirements. However, being HIPAA compliant poses challenges for dental providers. Here are some of those challenges, and what dental providers can do to combat them.

Failure to Identify Your Dental Practice as a HIPAA “Covered Entity”

Covered entities are required to follow HIPAA requirements. A dental practice is considered a covered entity if it transmits an electronic claim, payment, etc. to a dental plan or on behalf of a dental practice. It’s very likely that your dental practice is a covered entity and should be considering HIPAA requirements.

Missing Business Associate Agreements (BAAs)

Outside people or entities often have access to patient records and information. If your dental practice works with third parties of this nature, it’s important that you’re keeping tabs on them. Third parties are often root causes of breaches and data exposure. Continuously review your third parties and be sure you have BAAs for them.

Security Policies and Procedures

Well thought out, written plans are needed to ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of your office and each staff member in protecting your patients’ private health information. The policy should clearly outline how your office handles and remediates various kinds of security breaches.


Training employees is a critical component to HIPAA compliance, even for dental practices. Once you have your policies and procedures in place, it becomes critical that you train your employees on them. If someone’s job is affected by a change in your HIPAA policies or procedures, provide training on the change within a reasonable time after the change becomes effective. Training employees will limit the risk of breach.

Texting and Email

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening. While HIPAA doesn’t prohibit using email or text to communicate patient information, it is important it’s done the proper way.

Social Media

A restaurant is very likely to respond to a Yelp, Facebook or Google review to either appreciate what has been said, or try to take corrective action. Dental practices must be a bit more careful. It’s easy to respond in a way that violates HIPAA rules. Ensure you and your employees understand privacy rules before responding to your practice’s reviews.

Other Media

As photos or videos are being taken of a patient there is the possibility that other patients may be included inadvertently. These photos and videos are quite often shared through social media and this can compromise those patients’ privacy. In addition, staff members of the practice might be included in the photo or video and this violates their privacy. Be cognizant of what is going on in the background of your images and videos so you do not compromise patient information.

Reporting Breaches

Breaches happen. It can and will happen to anyone at any time. It’s crucial that you understand what you need to report, and when. Covered dental practices must report all breaches of unsecured protected health information to the Office of Civil Rights, as well as to individuals and, in some cases, to the media. The bottom line is, have a plan for what to do in case an incident does occur, because it certainly can.


How can you get a better understanding of these challenges, so you know how to avoid and face them? A cyber security assessment is a great tool to do that. Security assessments helps you identify where your gaps in security are. Once they’ve been identified, you can also use the assessment to develop action plans for improvement, meeting HIPAA regulations and proving to examiners that you have a strong data protection program. While there are many challenges as a dental provider to being HIPAA compliant and safeguarding patient information, getting a security assessment puts you on the fast track to understanding and preventing your patients’ data being compromised.



Estimate your score or book free demo today

S2SCORE is a comprehensive assessment that measures your organization’s information security risk. It was created because of a recognized need in the information security industry for a common language people could use to be on the same page about security. Built on the widely unsterstood credit score scale, S2SCORE measures four different types of controls and give you the score to litmus test and starting point for improvements. Every organization should have a S2SCORE and here is why.

1. S2SCORE is easy to understand.

Information security is a complex discipline with many moving parts, but S2SCORE simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to understand what S2SCORE is telling you. One simple number represents your overall risk, and additional indicators show where your most significant risks are.

2. S2SCORE can tell you what everyone else is doing.

Hundreds of organizations have received their S2SCORE and this allows for good, fact-based comparisons. One of the common questions we receive about information security is, “What is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd.

3. With a S2SCORE, you can track progress.

S2SCORE is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or worse; they never stay the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered through the S2SCORE.


The average S2SCORE is 567.72. An “acceptable” level of security is 660.

4. S2SCORE is objective.

S2SCORE is maintained by an independent organization that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, the score is also objective. S2SCORE is calculated through the measurement of thousands of objective characteristics that take much of the guesswork and opinion out of the equation.

5. S2SCORE is credible.

S2SCORE was developed over the course of more than 15 years through the work of seasoned information security practitioners and is now on its fifth major release. S2SCORE is based on generally well-accepted information security standards. The criteria for measurement are all referenceable to the NIST Cybersecurity Framework (CSF), and its supporting standards: NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.

6. S2SCORE represents risk.

Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. S2SCORE represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats, resulting in likelihoods and impacts of bad events.

7. S2SCORE is comprehensive.

Fundamental to S2SCORE is our definition of information security: The application of administrative, physical, and technical controls to protect the confidentiality, integrity and availability of information. There are four phases within S2SCORE:

• Phase 1 – Administrative Controls
• Phase 2 – Physical Controls
• Phase 3 – Internal Technical Controls
• Phase 4 – External Technical Controls

All four parts of the information security program must work well together. A weakness in one control can lead to a collapse of all others. The phases are further segmented into sections, and the sections are further segmented into controls. The final S2SCORE report is presented both high level and then digs deep in the details.

8. There is fast-growing community support for S2SCORE.

The partner community behind S2SCORE is critical to its success. Partners works to generate S2SCOREs for their clients, but the partner community is also vital to future improvements and considerations. The partner community participates in further improvements of the methodology, shares critical information, and evangelizes the need for a common information security language (provided by S2SCORE). Our partners include IT service companies, CPA firms, insurance brokers and security consulting companies.

9. S2SCORE is an indicator of future losses.

As S2SCORE continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. S2SCORE provides the framework for predicting future information security losses accurately, using the best information available. Today S2SCORE is tied to research conducted by the Ponemon Institute for loss data.

10. S2SCORE is a competitive advantage.

Information security as a competitive advantage? Yes, absolutely! S2SCORE is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.


Estimate your score or book free demo today