Posts

 It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position.  An organization owes it to their customers.  The goal of vendor risk management is to position the organization in a defensible position by taking inventory of all vendors, measuring how much of a risk each vendor poses, assessing each vendor objectively, and then systematically repeating this process.  That’s a hefty goal, so let’s break it down.  

Inventory – Taking inventory of all vendors

The first step to mitigating risk is to take inventory of all vendors.  This list includes everything from the organization’s HVAC technician, cleaning service, insurance broker, and even the free online software provider.  These are all considered vendors, and while not all of them have the same access to sensitive information, many vendors will have some access to the organization’s information either physically or otherwise.  The goal of taking inventory of your vendors is to make sure that all the vendors within an organization is accounted for.  Quite simply, you don’t know, what you don’t know.

Classify – Measuring how much of a risk each vendor poses

Not all vendors will have access to the same amount of information, but it’s important to sort your vendors into buckets.  Using the same classification method puts all your vendors into perspective, and puts the organization in a defensible position.  The HVAC technician won’t necessarily have the same impact as an insurance broker that has access to sensitive information.  However, both vendors pose a risk – SecurityStudio has three impact levels – high, medium, and low.  By classifying vendors objectively, the right course of action can be taken to assess them appropriately. 

Assess – Assess each vendor so that the appropriate action can be taken

The goal of the assessment process is to make sure that the right questions are being asked, and that the same questions are being asked of all vendors within the same bucket.  This again will put the organization in a more defensible position. The goal of the assessment process is to be as objective as possible and to complete due diligence.  It’s important to ask these questions now, so that in the case of an adverse event, the organization is still defensible.  Tools, like SecurityStudio, makes it easy.  SecurityStudio offers a comprehensive list of questions, and the program tags who answers the questions and timestamps when the questions are answered.  The ultimate goal of the assessment is to have an objective overview of the vendor’s security posture so that the organization is able to make an informed decision to either go into business or continue doing business with the vendor.  Once the results of the assessment are given, then it’s a matter of replicating the process on a regular timely basis, or as the business relationship changes. 

Now that the goal is broken down, it puts things in perspective.  Yes, organizations are pressured to develop a vendor risk management program by regulatory laws, but it’s more than that.  It’s just the right thing to do.  Organizations owe it to customers to make sure that the information they provide is secure by mitigating risk the best they can and putting themselves in a defensible position.  This is the primary goal of vendor risk management.

To put your goals to action and get an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

Vendor Risk Management Goals
s2core

Estimate your score or book free demo today

Vendor Risk Management best practices (VRM) conjures up all manner of interpretation. As a business leader, I’m concerned with all aspects….

  1. Are my vendors financially stable enough to fulfill our agreements?
  2. Are my vendors operationally capable of fulfilling our SLA’s and contractual requirements?
  3. Are my vendors doing enough to protect the data I’m sharing with them?

Numbers one and two are easy to measure and offer a mathematically sound position by which vendors may be held accountable. Number three scares me.

What are we to do in the face of daily news, very public and embarrassing news, of vendors’ indiscretions leading to the breach of sensitive information? More questions lead to more questions and on and on it goes.

As a company on the rise, including an ever-growing number of vendors and third-parties in the ecosystem, the need to do due diligence on data protection is ever increasing. Here’s the thing – it doesn’t have to be technical or out of reach if you’re not a technically-minded person. Understanding risk is the lynchpin to the process.

Defensible Position

Defensible position is the mantra of VRM. Say it with me – “Defensible Position.”

Start here – put ALL of your vendors through the same wringer. When doomsday (a breach) happens, the only defense you have is that a process was followed and that exceptions to that process were minimal and for a VERY good reason.

Example:

  • Jerry’s lawn service handles landscaping services for your business. Jerry and his team never set foot into your office, they just mow the lawn and keep the flowers alive. Still, Jerry should be able to withstand a brief questioning of the nature of your relationship be filed under the “low risk” designation and put into a queue to review in a year. If, by next year, Jerry is also providing maintenance services INSIDE your building, you should ask more questions because Jerry and his team may have physical access to information they didn’t have before. Make sense?

Jerry’s likely not a risk if he’s outside your doors. He’s a potential HUGE risk once he has access to the office. Keep an eye on that with a standard process to reevaluate all vendors like Jerry on (at least) an annual basis.

Assess

Once you’ve put your vendors through the “smell test” of risk (officially called ‘classification’) then move onto assessing whether or not they are doing the right things with their access to your information. There are a number of ways to do this, but in the interest of being in a DEFENSIBLE POSITION, make sure all vendors of a particular classification (high, medium, critical, etc.) get the same assessment.

Lawyers love words like “assume, thought, maybe, about, approximately, etc.” so eliminate that possibility. By measuring your vendors with the same ruler, you take subjectivity out of the equation. Starting to see the advantage, here?

  1. You cannot protect yourself from the breach. There, I said it. The skill and nature of the “bad guys” are such that total immunity is impossible. Accept that and move on to managing the risk of the situation. What is the likelihood of a breach? How bad would it be if you were breached? If you don’t have the math to lean on for answers to those questions, you’re VRM (and overall security strategy) is inadequate. Period.

Five years ago, achieving a well-measured VRM program was incredibly expensive and often reliant on specialized expertise that was in increasingly short supply. Times have changed and there are options out there that have real effectiveness, such as SecurityStudio , which automates the process and put you in a defensible position.

So, now you’re in a defensible position and at least feel good that you’re doing what’s expected and being responsible. But, there’s a greater responsibility…

2. Help your vendors practice better security. You’re in a position to help the organizations who wouldn’t naturally care about security. Put the basics in place to better protect themselves and you. VRM is a GREAT way to lead your suppliers to best practices while also protecting yourself in a more effective way. It costs you nothing and has (potentially) enormous benefits.

The soapbox if officially unattended. To recap…

  1. Get all of your vendors in a common process.
  2. Rank your vendors according to the same criteria.
  3. Assess your vendors’ security and get some math around their risk to you.
  4. Help your vendors get better – don’t just point out problems and wish them luck.

Please get in touch with me, John Harmon, if you have any questions. There’s a lot of uncertainty and lip-service out there trying to profit from your uncertainty. Lean on people who have the experience and the propensity to serve to help you with VRM, or any other security concerns you have. The good guys are within reach and ready to help.

For an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

s2core

Estimate your score or book free demo today

Many companies are daunted by the task of building a vendor risk management (VRM) program that gathers all vendors in one place, classifies them, assesses the risky ones and determines if that risk should be remediated or terminated. However, the benefits of an automated VRM program easily outweigh the risks of not doing vendor risk management.

1. Reduced Costs and Time

When defining your VRM program, ensure you setup a centralized process. A centralized VRM program is one that is built and coordinated so that all information is easily accessible by members of your organization, not just those that are managing vendor relationships.

To be successful, your vendor risk management program must include members from a variety of groups, such as finance, legal, IT, procurement, accounting, purchasing and more. Each should have a role in helping to inventory and classify your vendors. In the long run, a centralized process will help to reduce costs and time involved in managing your VRM program.   

2. Reduced Risk

Once all vendors are in your VRM program and classified, you’ll begin to get a good snapshot of where the third-party risk lies in your organization. All vendors should be classified by low, medium or high risk, so the vendor risk manager in charge of your VRM program can start focusing on just the medium- and high-risk vendors.

Once your high-risk vendors are pinpointed, you can begin to reduce the risk they pose on your organization by requiring them to do a risk assessment. If this assessment results in unsatisfactory risk, you’ll have the choice of asking them to remediate their risky practices or eliminate them as a vendor.

3. Maintaining Compliance

It’s critical for businesses in regulated industries to remain complaint. As third-party breaches continue to rise, regulators are cracking down on organizations that are not properly managing their third-party vendors. Regulators classify vendors as an extension of the company’s ecosystem and, as such, both the company and the vendor could be penalized and/or fined in the event of a breach.

An adequate VRM program can simplify your compliance initiatives and can satisfy all industry regulation compliance requirements, thus putting your business in a good position when the regulators arrive.

4. Reporting

After the legendary third-party breach of Target, many CEOs and Boards of Directors began taking notice of vendor relationships. As a result, many are now asking for comprehensive reports on the state of risk of the organization as it relates to vendors. Without an adequate VRM program, pulling together this information can be nearly impossible.

Ensure that your VRM program has a robust reporting component so that you can easily pull an executive summary for your Board of Directors and a detailed vendor risk report for management.

5. Defensibility

Above all, being defensible in the event of an information security breach should be at the top of every CEO’s mind. No company will ever be 100-percent secure, so it’s more important to develop your company’s defensibility.

When a breach occurs at your company, regulators, lawyers, customers and more will come after you for retribution. Your company could be liable, even if the breach was caused by a third party, if you don’t have a VRM program in place that shows your due diligence. Your company’s due diligence is shown when you take the necessary steps to both track your vendors and determine their level of risk on your company.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

s2core

Estimate your score or book free demo today

Historical Use of Vendors Over Time

Before we address the purpose of vendor risk management we need to spend a few moments to understand how we got here. Looking back 20 years ago third-party vendors were used differently and not used as much.  We did not perform any sort of vendor risk management.  Considerations to use a vendor would be primarily based on cost.  Today is a much different picture.  We can easily create an entirely new business with a laptop, internet connection and a credit card.  Software solutions can be purchased and used within organizations without getting IT involved; therefore, skipping the chance to properly evaluate the potential risk.  The threat landscape has changed vastly and continues to evolve seemingly faster all the time.

Shift Control from Internal to Third Party

I reminisce about my first job coming out of college.  The large company I worked for didn’t have internet access, we didn’t have email and we didn’t exchange data or allow others to access our data.  All the control was in our hands.  If we suffered some sort of incident it was up to us to fix it and get back on track.  Today we outsource to third-party vendors for strategic reasons (increased efficiencies, new services, focus on core business objectives, etc.). Risky vendors will then increase our risk if not properly evaluated and managed.  The control is shifted from us to the vendor.  How much data are we giving to the vendor?  Does a disruption in the vendor’s ability to provide services create an unaccepted situation?  Does the vendor have a formal approach to securing your data?  Do they have a risk management program that’s formally mandated and supported by their executive management?  Do they treat your data with the same standards as you do?

Purpose of Vendor Risk Management

A lack of a complete and effective vendor risk management puts organizations at risk.  Regulated industries like Finance, Healthcare and Public Utilities all require ongoing risk assessments.  The use of third-party vendors needs to be incorporated into the risk assessment.  A thorough and efficient vendor risk management program can make a difficult process run more smoothly. 

Another reason you should consider a formal vendor risk management approach is to address the business impact risk that’s introduced by utilizing third party vendors.  Your reputation could be tarnished by the actions of a vendor you use.  Your organization could suffer unacceptable downtime or lack of service due to a vendor’s internal (or lack of) business practices.  You could also be affected by a third-party vendor’s financial situation.  If a vendor provides a critical or unique service that is not easily replaced, it’s in your best interest that their finances are in good order.  Can they keep their lights on and provide you with the critical services you pay them for?

In a simple form, the purpose of vendor risk management is ensuring the use of third-party vendors and making sure they do not introduce a negative impact, business disruption or damage your reputation. It also puts you in a defensible position by showing you’re practicing proper due care and due diligence regarding information security and vendor risk management. 

Vendor Risk Management Process

The vendor risk management process comprises of four steps.  Once the initial process is started, new vendor and annual vendor reviews will be much faster and simpler to manage.

  1. Identify your vendors – Any individual or company who provides you paid services.  Working with Accounts Payable will cast the biggest net.  Don’t forget about services purchased on a credit card – so check those statements!
  2. Classify your vendors – Now you have the master vendor list you need to classify the vendor into high, medium and low risk categories.  Department managers are typically the best to determine this since they have an idea of the types and amount of data the vendor has access to as well as how the vendor is used and what impact the vendor has on the business.  This can sometimes be difficult at first because some managers might not understand their role in the vendor risk management process.
  3. Assess vendor risk – A risk assessment should be performed on all high and medium risk vendors.  The risk assessment should be the same criteria for all classes of vendors.  Higher risk vendors will be under the microscope a bit more than the medium risk vendors.  Low-risk vendors simply need to be evaluated for risk and documented.  It’s important to show you’ve evaluated and classified ALL vendors, not just the ones you feel are important. 
  4. Risk treatment – Once risks are identified you need to determine if the risk is acceptable or if you will ask\require the vendor to mitigate identified risks.  Remediation efforts by the vendor should be monitored and assurance made to you by the vendor that they did indeed address the risks identified.  This might come in the form of policy developed, audit results or verified risk assessment performed certified information security expert.

The entire process is repeated on a regular basis, preferably annually.  The initial startup of a vendor risk management program can be daunting but with the correct tools, it doesn’t have to be.

Who Do We Work For?

We all work for someone.  Our industries might be vastly different but the common item we all have is we work for people.  People entrust us with their finances, healthcare data, personal data, retirement funds, school grades, etc., the list goes on and on.  Behind all that data are mothers, fathers, grandparents, aunts, uncles, nieces, nephews, sons, daughters, friends and neighbors.  We owe it to them to do everything we can to protect their data as if it were our own.  This is the REAL purpose of vendor risk management.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

s2core

Estimate your score or book free demo today

Vendor risk management is a critical portion of every organization’s information security program. The number of vendors the average business works with is growing, and the amount of sensitive data we let them have access to is as well. Despite this, many organizations still struggle to effectively manage the risk of their third-party vendors. By not understanding and handling these potential risks well, your organization is more prone to experiencing an information security incident through one of these vendors. Do you know where you stand in protecting your data from vendor risk breaches?

Almost all organizations fit into one of four categories when it comes to managing the data risk their vendors pose— none, painful, partial, or good. Let’s find out where you fit.

None

The largest category of the four is the “None” category, in terms of the number of organizations. According to our estimate, more than 50% of organizations in the United States do not have a third-party information security risk program.

Some of the reasons you may end up in this category include:

  • Not knowing any better.
  • Not knowing where to start.
  • You’ve tried before and failed or gave up.
  • You don’t see the value in establishing a good third-party vendor security management program

If you’re in this category, what legitimate justification do you have?

If the numbers don’t lie, then you can assume that a data breach will happen by, or through, one of your third-party providers. An estimated 60% of all data breaches are caused by third-parties— directly or indirectly.  Your decision to not account for this significant risk is difficult to defend against in the court of public opinion, the court of law, or the court of regulatory compliance.

The bottom line is; not doing anything to address third-party information security risk is not defensible. It would a difficult defense to claim that you didn’t know. Either you did know and you’re not being truthful about it, or you legitimately were ignorant of how important this is. Both are bad defenses when trying to explain how and why you were breached. You’re admittedly and willingly avoiding one of the most significant information security risks facing your organization.

Painful

This second category is organizations that are doing some type of vendor risk management, but it’s a painful process (a checklist can be handy). This category is typically comprised of organizations that either want to do the right thing or are being forced to do the right thing.

Want to do the right thing

These are mostly well-run organizations that want to secure information because it’s the right thing to do in their opinion.

Forced to do something

These organizations are being pushed or forced into implementing a third-party information security risk management program by one or more regulatory (direct and/or indirect), legal, or contractual requirements.

The Typical Painful Approach

Regardless of why the organization has implemented a third-party information security risk management program, the vendor management program is painful. It is usually wrought with subjectivity, inefficiency, ineffectiveness, and disorganization.

Here’s a typical real-world example of a painful vendor management program. A person within the organization has been appointed as the “Vendor Risk Manager.” She begins by developing a policy and a process. The process includes vendor on-boarding, some vendor risk management training, and questionnaires. She inserts the first vendor into the newly designed process and quickly finds that there are some serious pain points:

  • She must run and maintain the entire process.
  • She doesn’t know each third-party provider, what they do for the organization, or how much information they have access to. The upfront research she needs to do is cumbersome and disruptive to her other duties. She tries to get the business to help, but the business views the process as a hindrance and isn’t enthusiastic about helping.
  • She sends questionnaires out to third-party providers with the best contact information she can find, but many of the questionnaires end up going to the wrong people. Some questionnaires even go to the wrong third-party provider.
  • Most of the third-party providers don’t really want to complete the questionnaires, and when they do, the subjective nature of the questions is interpreted in the best possible light for the provider, not the company trying to assess risk.
  • Tracking which questionnaires that were sent to which third-parties is difficult.
  • Following up with third-parties to get their questionnaires completed is often inconsistent or forgotten altogether.
  • Addressing third-party questions about the process and about how to complete questionnaires is time-consuming.
  • Reviewing each questionnaire and marking them for remediation is subjective and inconsistent.
  • Fighting with third-party providers for remediation of specific vendor management risks and controls (or perceived risks) is contentious and draining.
  • Fighting with the business leaders within the company is useless.

Eventually, the third-party information security risk program falters as employees and vendors think it as more of an inconvenience than a way to improve the organization. If it’s made too painful for the vendors, they may even choose not to do business with our organization.

The painful approach is expensive and a waste of valuable resources. 

Partial

The partial approach is where organizations end up if they either don’t fully understand information security risk or don’t care if they’re not addressing information security risk well. These organizations often ask for things from a third-party that don’t specifically address risk or attempt to employ an easy button that only addresses a part of information security risk.

Ask for Things

Are you an organization that asks for something like a SOC 2 report or maybe ISO certification?

Asking for these things just so that you can check it off a list is not sufficient.  It’s important to read the reports and certification documents to make sure they address which risks are applicable to you and your work with the third-party. The motivation for the third-party in obtaining these things is to do as little as possible to obtain the report or certification. They are motivated to narrow the scope and get to a passing grade as quickly and cheaply as possible.

This may or may not sufficiently address third-party information security risk, and needs to be properly vetted before the box is checked. Businesses who ask for things and don’t vet the responses are only practicing partial vendor risk management.

Easy Button

A popular partial option used by many organizations is to employ an easy button. There are products and services on the market today that pose as third-party information security risk management tools, but only address one or two parts of information security risk. The most popular of these easy buttons are threat monitoring tools, security rating tools based on external and/or internal vulnerability(ish) scans, and continuous monitoring solutions.

Each of these tools are good at addressing one part of information security risk— most often external technical risks.

But information security risk is more than just external technical risks. Information Security is managing risk to information confidentiality, integrity, and availability, using administrative, physical, and technical controls – all together being security controls.

How do we address physical risk? After all, it doesn’t matter how well our firewall is operating if someone can steal our server.

People are often our biggest risk. It’s important that information security programs take administrative controls into account to mitigate the human error of information securirty.

The easy button solutions work well for the easy parts of information security, but they leave out the most significant risks. Use them for what they’re good at, but don’t assume you’ve got yourself covered if they’re all your using.

The partial approach is incomplete and leads to a false sense of security, which is sometimes worse than no security at all.

Good

A good third-party information security risk program is one that doesn’t compromise any part of our previous definition of third-party information security risk. It conducts its information security program in a manner that is simplified, standardized, and defensible.

Simplified

The simplest approach to third-party information security risk management is one where all third parties are vetted, and where vetting is done in a consistent and objective manner.

Simplified and easy are not the same. Simplified means that there isn’t any waste and everything in the vendor management program has a specific purpose. The components must all work seamlessly together and processes must be streamlined.

In the simplest sense, a good third-party information security risk management is made up of five components;

  • Policy (and supporting documentation)
  • Inventory
  • Classification
  • Assessment
  • Treatment

Standardized

A good third-party information security risk management program must be standardized. The same process must be followed every time. It’s not that we don’t continually refine and improve the vendor management program, it’s that we do so in a manner that is planned and consistent. In order to ensure standardization, the following must be true:

  • All third-parties must be assessed for the inherent risk in the same way.
  • All third-parties must be assessed for the residual risk in the same way.
  • Inherent and residual assessments must be objective.
  • Risk scoring must be consistently applied.
  • Thresholds must be set for all third-parties; driving risk treatment decisions.

Standardization can be achieved through rigid processes, but that could easily defeat our efforts to simplify. The best way to standardize is to use automation. Automation ensures that specific business rules are applied in a consistent manner, and it removes the non-standardization that often comes with human behaviors and decision-making.

Defensible

No matter what we do, we cannot prevent all bad things from happening. We live with a certain amount of risk, and there is no feasible way to eliminate it all. Organizations must consider how to defend themselves against the potential onslaught of regulatory investigations, civil suits, and loss of revenue.

Nobody expects a perfect approach to third-party information security risk management, but everyone should expect a reasonable approach to third-party information security risk management. Terms like due care, due diligence, and reasonable (or prudent) person are all very important when it comes to defensibility.

We aren’t lawyers, so we’ll borrow from publicly available sources to define these terms.

  • Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
  • Due diligence in a broad sense refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
  • Reasonable or Prudent man is a hypothetical person used as a legal standard especially to determine whether someone acted with negligence. This hypothetical person exercises average care, skill, and judgment in conduct that society requires of its members for the protection of their own and of others’ interests. The conduct of a reasonable man serves as a comparative standard for determining liability.

It seems perfectly reasonable for a person to establish a third-party information security risk management program according to the terms that we’ve defined. It’s easier to make the case that you practiced due care, which makes you more defensible.

Doesn’t Compromise

The last characteristic of a good third-party information security risk management program is that it doesn’t compromise what we define as information security or risk.

If we’re going to call it a third-party information security risk management, or something similar, it must account for information security risk. If we’re going to address only technical controls or the technical aspects of information security risk, then call it something like third-party IT risk management or third-party cybersecurity risk management.

These things are different. The differences may seem subtle in wording, but they are monumentally different in practice. There are no shortcuts in third-party information security risk management, we must account for administrative, physical, and technical controls or aspects.

A good third-party information security risk management program accounts for administrative, physical, and technical risk.

Take Action

Almost all organizations fit into one of four categories when it comes to managing the data security risk their vendors pose— none, painful, partial, or good.

If you need assistance in determining where your vendor risk management program sits, and how you can help to make your organization more simplified, standardized and defensible, schedule a demo.

 

s2core

Estimate your score or book free demo today