Posts

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.

Phase 1 – Vendor Inventory

 

Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.

The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.

There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.

Vendor Inventory

Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:

  • Third-party providers who are sending you invoices
  • Third-party providers who are being paid with a corporate credit card
  • Third-party providers who are paid by an employee who is being reimbursed for the expense.

Vendor Onboarding

Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.

Once the Inventory and Onboarding steps are complete, you’re ready to start  Phase 2 of VRM – Vendor Classification.

 

s2core

Estimate your score or book free demo today

Vendor security risk management is not easy. It’s often a monotonous combination of spreadsheets, questionnaires, following up with people, and uncertainty. It’s often frustratingly tedious, and it can actually cause otherwise strong information security programs to falter. The best relief is to take a three-step approach to vendor risk management. Simplify. Standardize. Defend.

Simplify

Managing information security risk amongst a population of vendors and third-parties is a complex problem for most organizations, and therefore most organizations either don’t manage vendor information security risk management at all, or they don’t do it well.

Don’t Manage Vendor Information Security Risk at All

There are five common reasons why organizations don’t manage vendor information security risk:

  • They don’t have enough confidence in their own information security program.
  • They don’t have experience managing vendor information security risk; where to start or what it’s supposed to look like.
  • They don’t know what questions or things that they should inquire about.
  • They don’t know who all their vendors are.
  • They have other priorities, and don’t get the time to tackle vendor information security risk management.

Question: Why don’t you do vendor information security risk management?

Don’t Manage Vendor Information Security Well

There are five common reasons why organizations don’t manage vendor information security well:

  • Their vendor information security risk management program is incomplete; missing vendors, missing parts of information security, incomplete questionnaires, no scoring/comparison, shortcut inherent risk and/or residual risk, etc.
  • The vendor information security risk management program is painful to manage.
  • The vendor information security risk management is program is disorganized.
  • The vendor information security risk management program relies too much on subjectivity or opinion.
  • They’re just doing something for the sake of doing something. There’s no commitment to doing it right.

Question: What pains do you experience, or what concerns do you have about your vendor information security risk management approach?

Standardize

A vendor information security risk management program must be repeatable and standardized. Standardization enables the other two important features (Simplify and Defend). You need to be doing vendor information security risk management first to truly appreciate the value in standardization. A lack of standardization leads to run-away complexity and a program that is not defensible (against litigation, inquiry from regulators, etc.).

Defend

Defense comes in two forms:

  • Defense against the breach risk posed by your vendors
  • Defense against the lawyers, regulators, and angry customers if or when a breach occurs.

Defense from Vendors

We know that no matter what we do, we cannot possibly prevent all breaches from occurring. So, where are breaches most likely to occur?  According to a recent study conducted by Soha Systems, 63% of all breaches are attributed to a vendor, directly or indirectly. * It’s hard to deny the fact that a breach occurring through a vendor is one of the most likely breach events. There’s no excuse for ignoring the risks posed by vendors or taking a half-hearted approach to vendor risk.

There are five common mistakes organizations make in assessing risk related to vendors:

  • Vendor information security risk management is primarily done to meet a regulatory requirement or to “check the box.”
  • Shortcut solutions are implemented to assess and manage information security vendor risk.
  • The logic behind the vendor information security risk decisions is not tied to how risk works (inherent risk or residual risk).
  • Vendor information security risks are accepted without a clear understanding of the risks or the most effective methods of remediation.
  • High (inherent) risk vendor responses are not adequately validated.

Question: Where are there gaps in your vendor information security risk management program?

Defense from the Crowd

We already know that the most likely source of a breach is through a vendor. Even if we do everything that we can to reduce this risk, some risk will remain. When a breach inevitably happens, we need a defense against a whole new breed of attackers. Lawyers, regulators, public opinion, and our own customers become our attackers. They want answers and they want retribution.

Our defense becomes something called due care. Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

Nobody expects perfection, but everyone should expect due care. Due care is where defensibility lives, and it’s imperative in our vendor information security risk management program. The question becomes, what would an ordinarily prudent or reasonable party do if they knew a vendor breach was eventual? Not accounting for vendor information security risk is indefensible.

For organizations with vendor information security risk management programs, here are some of the most common reasons why they could be less defensible:

  • Vendor information security risk decisions are subjective— or opinion-based.
  • Seemingly obvious information security risks are not adequately considered.
  • The personnel making risk decisions are not qualified to do so.
  • Roles and responsibilities for vendor information security risk management are not shared amongst qualified groups or are not formally defined at all.
  • The methodology used for vendor information security risk management is not shared by a group outside of your organization, or it is shared by a small group or organizations.

Question: Where is your vendor information security risk management program defensible, and where is it not?

Conclusion

SecurityStudio is the most comprehensive solution to simplify, standardize, and defend. It’s a vendor information security management solution that was built by former vendor risk managers who have walked the walk.

To learn more about how a solution like SecurityStudio can help your vendor information security risk management processes, schedule a demo.

 

s2core

Estimate your score or book free demo today

Vendor risk management is a critical portion of every organization’s information security program. The number of vendors the average business works with is growing, and the amount of sensitive data we let them have access to is as well. Despite this, many organizations still struggle to effectively manage the risk of their third-party vendors. By not understanding and handling these potential risks well, your organization is more prone to experiencing an information security incident through one of these vendors. Do you know where you stand in protecting your data from vendor risk breaches?

Almost all organizations fit into one of four categories when it comes to managing the data risk their vendors pose— none, painful, partial, or good. Let’s find out where you fit.

None

The largest category of the four is the “None” category, in terms of the number of organizations. According to our estimate, more than 50% of organizations in the United States do not have a third-party information security risk program.

Some of the reasons you may end up in this category include:

  • Not knowing any better.
  • Not knowing where to start.
  • You’ve tried before and failed or gave up.
  • You don’t see the value in establishing a good third-party vendor security management program

If you’re in this category, what legitimate justification do you have?

If the numbers don’t lie, then you can assume that a data breach will happen by, or through, one of your third-party providers. An estimated 60% of all data breaches are caused by third-parties— directly or indirectly.  Your decision to not account for this significant risk is difficult to defend against in the court of public opinion, the court of law, or the court of regulatory compliance.

The bottom line is; not doing anything to address third-party information security risk is not defensible. It would a difficult defense to claim that you didn’t know. Either you did know and you’re not being truthful about it, or you legitimately were ignorant of how important this is. Both are bad defenses when trying to explain how and why you were breached. You’re admittedly and willingly avoiding one of the most significant information security risks facing your organization.

Painful

This second category is organizations that are doing some type of vendor risk management, but it’s a painful process (a checklist can be handy). This category is typically comprised of organizations that either want to do the right thing or are being forced to do the right thing.

Want to do the right thing

These are mostly well-run organizations that want to secure information because it’s the right thing to do in their opinion.

Forced to do something

These organizations are being pushed or forced into implementing a third-party information security risk management program by one or more regulatory (direct and/or indirect), legal, or contractual requirements.

The Typical Painful Approach

Regardless of why the organization has implemented a third-party information security risk management program, the vendor management program is painful. It is usually wrought with subjectivity, inefficiency, ineffectiveness, and disorganization.

Here’s a typical real-world example of a painful vendor management program. A person within the organization has been appointed as the “Vendor Risk Manager.” She begins by developing a policy and a process. The process includes vendor on-boarding, some vendor risk management training, and questionnaires. She inserts the first vendor into the newly designed process and quickly finds that there are some serious pain points:

  • She must run and maintain the entire process.
  • She doesn’t know each third-party provider, what they do for the organization, or how much information they have access to. The upfront research she needs to do is cumbersome and disruptive to her other duties. She tries to get the business to help, but the business views the process as a hindrance and isn’t enthusiastic about helping.
  • She sends questionnaires out to third-party providers with the best contact information she can find, but many of the questionnaires end up going to the wrong people. Some questionnaires even go to the wrong third-party provider.
  • Most of the third-party providers don’t really want to complete the questionnaires, and when they do, the subjective nature of the questions is interpreted in the best possible light for the provider, not the company trying to assess risk.
  • Tracking which questionnaires that were sent to which third-parties is difficult.
  • Following up with third-parties to get their questionnaires completed is often inconsistent or forgotten altogether.
  • Addressing third-party questions about the process and about how to complete questionnaires is time-consuming.
  • Reviewing each questionnaire and marking them for remediation is subjective and inconsistent.
  • Fighting with third-party providers for remediation of specific vendor management risks and controls (or perceived risks) is contentious and draining.
  • Fighting with the business leaders within the company is useless.

Eventually, the third-party information security risk program falters as employees and vendors think it as more of an inconvenience than a way to improve the organization. If it’s made too painful for the vendors, they may even choose not to do business with our organization.

The painful approach is expensive and a waste of valuable resources. 

Partial

The partial approach is where organizations end up if they either don’t fully understand information security risk or don’t care if they’re not addressing information security risk well. These organizations often ask for things from a third-party that don’t specifically address risk or attempt to employ an easy button that only addresses a part of information security risk.

Ask for Things

Are you an organization that asks for something like a SOC 2 report or maybe ISO certification?

Asking for these things just so that you can check it off a list is not sufficient.  It’s important to read the reports and certification documents to make sure they address which risks are applicable to you and your work with the third-party. The motivation for the third-party in obtaining these things is to do as little as possible to obtain the report or certification. They are motivated to narrow the scope and get to a passing grade as quickly and cheaply as possible.

This may or may not sufficiently address third-party information security risk, and needs to be properly vetted before the box is checked. Businesses who ask for things and don’t vet the responses are only practicing partial vendor risk management.

Easy Button

A popular partial option used by many organizations is to employ an easy button. There are products and services on the market today that pose as third-party information security risk management tools, but only address one or two parts of information security risk. The most popular of these easy buttons are threat monitoring tools, security rating tools based on external and/or internal vulnerability(ish) scans, and continuous monitoring solutions.

Each of these tools are good at addressing one part of information security risk— most often external technical risks.

But information security risk is more than just external technical risks. Information Security is managing risk to information confidentiality, integrity, and availability, using administrative, physical, and technical controls – all together being security controls.

How do we address physical risk? After all, it doesn’t matter how well our firewall is operating if someone can steal our server.

People are often our biggest risk. It’s important that information security programs take administrative controls into account to mitigate the human error of information securirty.

The easy button solutions work well for the easy parts of information security, but they leave out the most significant risks. Use them for what they’re good at, but don’t assume you’ve got yourself covered if they’re all your using.

The partial approach is incomplete and leads to a false sense of security, which is sometimes worse than no security at all.

Good

A good third-party information security risk program is one that doesn’t compromise any part of our previous definition of third-party information security risk. It conducts its information security program in a manner that is simplified, standardized, and defensible.

Simplified

The simplest approach to third-party information security risk management is one where all third parties are vetted, and where vetting is done in a consistent and objective manner.

Simplified and easy are not the same. Simplified means that there isn’t any waste and everything in the vendor management program has a specific purpose. The components must all work seamlessly together and processes must be streamlined.

In the simplest sense, a good third-party information security risk management is made up of five components;

  • Policy (and supporting documentation)
  • Inventory
  • Classification
  • Assessment
  • Treatment

Standardized

A good third-party information security risk management program must be standardized. The same process must be followed every time. It’s not that we don’t continually refine and improve the vendor management program, it’s that we do so in a manner that is planned and consistent. In order to ensure standardization, the following must be true:

  • All third-parties must be assessed for the inherent risk in the same way.
  • All third-parties must be assessed for the residual risk in the same way.
  • Inherent and residual assessments must be objective.
  • Risk scoring must be consistently applied.
  • Thresholds must be set for all third-parties; driving risk treatment decisions.

Standardization can be achieved through rigid processes, but that could easily defeat our efforts to simplify. The best way to standardize is to use automation. Automation ensures that specific business rules are applied in a consistent manner, and it removes the non-standardization that often comes with human behaviors and decision-making.

Defensible

No matter what we do, we cannot prevent all bad things from happening. We live with a certain amount of risk, and there is no feasible way to eliminate it all. Organizations must consider how to defend themselves against the potential onslaught of regulatory investigations, civil suits, and loss of revenue.

Nobody expects a perfect approach to third-party information security risk management, but everyone should expect a reasonable approach to third-party information security risk management. Terms like due care, due diligence, and reasonable (or prudent) person are all very important when it comes to defensibility.

We aren’t lawyers, so we’ll borrow from publicly available sources to define these terms.

  • Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
  • Due diligence in a broad sense refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
  • Reasonable or Prudent man is a hypothetical person used as a legal standard especially to determine whether someone acted with negligence. This hypothetical person exercises average care, skill, and judgment in conduct that society requires of its members for the protection of their own and of others’ interests. The conduct of a reasonable man serves as a comparative standard for determining liability.

It seems perfectly reasonable for a person to establish a third-party information security risk management program according to the terms that we’ve defined. It’s easier to make the case that you practiced due care, which makes you more defensible.

Doesn’t Compromise

The last characteristic of a good third-party information security risk management program is that it doesn’t compromise what we define as information security or risk.

If we’re going to call it a third-party information security risk management, or something similar, it must account for information security risk. If we’re going to address only technical controls or the technical aspects of information security risk, then call it something like third-party IT risk management or third-party cybersecurity risk management.

These things are different. The differences may seem subtle in wording, but they are monumentally different in practice. There are no shortcuts in third-party information security risk management, we must account for administrative, physical, and technical controls or aspects.

A good third-party information security risk management program accounts for administrative, physical, and technical risk.

Take Action

Almost all organizations fit into one of four categories when it comes to managing the data security risk their vendors pose— none, painful, partial, or good.

If you need assistance in determining where your vendor risk management program sits, and how you can help to make your organization more simplified, standardized and defensible, schedule a demo.

 

s2core

Estimate your score or book free demo today