Posts

What it is, why you need it, and how to use it.

You might be thinking something like:

“Meh! We don’t need another policy that nobody will read! Policies are a waste of time, especially a Vendor Risk Management Policy!”

I get it. People aren’t thrilled by policies. They’re not exciting. They’re not fun either. For some, policies can even be painful.

Policies get a bad rap. Not because they’re evil or anything, but because people rarely use them well. The fact is, information security policies play a very important role in supporting all information security efforts, and a vendor risk management policy plays a very important role in supporting our vendor risk management efforts.

I don’t like wasting people’s time, so I’ll get right to the point. Most policy problems are founded in the confusion about what a policy is, why they need one, and how they should be used. So, let’s address this as simply as possible. After all, complexity is the enemy of good information security (remember this always).

NOTE: In some organizations, vendor risk management and third-party information security risk management have slightly different meanings. Third-party information security risk management is part of a greater vendor risk management effort. For the purposes of this article, we’re using vendor risk management and third-party information security risk management synonymously.

What a Vendor Risk Management Policy is

The “what” for any policy are the rules. Think of this in terms of a game. A policy defines the rules for the game. A vendor risk management policy defines the rules for the vendor risk management game. Simple.

If you’ve never played the vendor risk management game before, this could be a difficult policy for you to define. If this is you, ask someone you trust for help. Here are two options for you right now:

  1. You can download our template. Change the rules to fit the game that you’re willing to play and make it yours.
  2. Contact SecurityStudio – The experts at SecurityStudio will make sure you get all the answers you need.

There are some typical structural things that should found in every policy, including this one. Policies should contain a purpose statement, note the audience for the policy, the policy status (draft, approved, adopted, etc.), version, date, the policy itself (the rules), references (to standards and/or other documentation), enforcement intentions, and version history.

Your game, your policy. Don’t expect someone else’s policy to fit as-is, and don’t include rules that you don’t intend to play by.

Why you need a Vendor Risk Management Policy

If the “what” for policy are the rules, the “why” for policy is communication. Policies are used to communicate the rules to others. You don’t need a policy if you don’t have anyone to communicate the rules to. Good news, right?

Before you rejoice, it’s very unlikely that you have no one else to communicate the rules to. There’s almost certainly someone else who needs (or wants) to know the rules.

Think about who needs to know the rules for your vendor risk management game. The list could include:

  • Anyone else within your organization that participates in vendor risk management activities.
  • Anyone who’s interested in your organization’s vendor risk management activities (examiners, regulators, partners, etc.)
  • Anyone who’s ultimately responsible for your organization’s vendor risk management activities, including executive management and the board of directors (if one exists).

The more people who need to know about your rules, the more important the policy becomes. In a small organization where there is a single person who does all the vendor risk management activities, there’s less importance. Not “no” importance, just less importance.

How to use a Vendor Risk Management Policy

Once you’ve written a policy, it’s time to figure out how to use it. Every policy, including this one, must be approved, communicated, adopted, and adjusted (or revised). This is a policy lifecycle that is well understood by most.

  • Draft – The policy is drafted (as v1 in new policies, as incremented version in subsequent cycles).
  • Approve – The policy must be approved by someone with authority (executive management, BoD, etc.).
  • Communicate – The policy must be communicated to all personnel who are affected by it.
  • Adopt – Gap analysis (or audit) coupled with plans and projects to ensure compliance.
  • Review/Revise – Periodic (and regular) review of policy, suggested edits move forward.

Policies are reference documents and should be written this way. Let’s go back to our game comparison.

When you sit down with friends to play a new board game, how many people read the rules? Just one, and this is the de-facto person who oversees the game. How many people should read your policies (rules)? Just the person (or group) who oversees the game. As the game is played, the rules are referenced whenever a question comes up. Same goes for policies.

That’s it. Simple. Define the rules for vendor risk management, communicate the rules, and manage the rules. Vendor risk management policy in a nutshell.

Having a policy in place is great, but also having a workflow that evaluates all third-party vendors and brings your weakest links to the surface is even better. Schedule a demo with us today to get your easy-to-use vendor risk management program.

free information security risk assessment tool

Vendor Risk Management best practices (VRM) conjures up all manner of interpretation. As a business leader, I’m concerned with all aspects….

  1. Are my vendors financially stable enough to fulfill our agreements?
  2. Are my vendors operationally capable of fulfilling our SLA’s and contractual requirements?
  3. Are my vendors doing enough to protect the data I’m sharing with them?

Numbers one and two are easy to measure and offer a mathematically sound position by which vendors may be held accountable. Number three scares me.

What are we to do in the face of daily news, very public and embarrassing news, of vendors’ indiscretions leading to the breach of sensitive information? More questions lead to more questions and on and on it goes.

As a company on the rise, including an ever-growing number of vendors and third-parties in the ecosystem, the need to do due diligence on data protection is ever increasing. Here’s the thing – it doesn’t have to be technical or out of reach if you’re not a technically-minded person. Understanding risk is the lynchpin to the process.

Defensible Position

Defensible position is the mantra of VRM. Say it with me – “Defensible Position.”

Start here – put ALL of your vendors through the same wringer. When doomsday (a breach) happens, the only defense you have is that a process was followed and that exceptions to that process were minimal and for a VERY good reason.

Example:

  • Jerry’s lawn service handles landscaping services for your business. Jerry and his team never set foot into your office, they just mow the lawn and keep the flowers alive. Still, Jerry should be able to withstand a brief questioning of the nature of your relationship be filed under the “low risk” designation and put into a queue to review in a year. If, by next year, Jerry is also providing maintenance services INSIDE your building, you should ask more questions because Jerry and his team may have physical access to information they didn’t have before. Make sense?

Jerry’s likely not a risk if he’s outside your doors. He’s a potential HUGE risk once he has access to the office. Keep an eye on that with a standard process to reevaluate all vendors like Jerry on (at least) an annual basis.

Assess

Once you’ve put your vendors through the “smell test” of risk (officially called ‘classification’) then move onto assessing whether or not they are doing the right things with their access to your information. There are a number of ways to do this, but in the interest of being in a DEFENSIBLE POSITION, make sure all vendors of a particular classification (high, medium, critical, etc.) get the same assessment.

Lawyers love words like “assume, thought, maybe, about, approximately, etc.” so eliminate that possibility. By measuring your vendors with the same ruler, you take subjectivity out of the equation. Starting to see the advantage, here?

  1. You cannot protect yourself from the breach. There, I said it. The skill and nature of the “bad guys” are such that total immunity is impossible. Accept that and move on to managing the risk of the situation. What is the likelihood of a breach? How bad would it be if you were breached? If you don’t have the math to lean on for answers to those questions, you’re VRM (and overall security strategy) is inadequate. Period.

Five years ago, achieving a well-measured VRM program was incredibly expensive and often reliant on specialized expertise that was in increasingly short supply. Times have changed and there are options out there that have real effectiveness, such as SecurityStudio , which automates the process and put you in a defensible position.

So, now you’re in a defensible position and at least feel good that you’re doing what’s expected and being responsible. But, there’s a greater responsibility…

2. Help your vendors practice better security. You’re in a position to help the organizations who wouldn’t naturally care about security. Put the basics in place to better protect themselves and you. VRM is a GREAT way to lead your suppliers to best practices while also protecting yourself in a more effective way. It costs you nothing and has (potentially) enormous benefits.

The soapbox if officially unattended. To recap…

  1. Get all of your vendors in a common process.
  2. Rank your vendors according to the same criteria.
  3. Assess your vendors’ security and get some math around their risk to you.
  4. Help your vendors get better – don’t just point out problems and wish them luck.

Please get in touch with me, John Harmon, if you have any questions. There’s a lot of uncertainty and lip-service out there trying to profit from your uncertainty. Lean on people who have the experience and the propensity to serve to help you with VRM, or any other security concerns you have. The good guys are within reach and ready to help.

For an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

free information security risk assessment tool

Many companies are daunted by the task of building a vendor risk management (VRM) program that gathers all vendors in one place, classifies them, assesses the risky ones and determines if that risk should be remediated or terminated. However, the benefits of an automated VRM program easily outweigh the risks of not doing vendor risk management.

1. Reduced Costs and Time

When defining your VRM program, ensure you setup a centralized process. A centralized VRM program is one that is built and coordinated so that all information is easily accessible by members of your organization, not just those that are managing vendor relationships.

To be successful, your vendor risk management program must include members from a variety of groups, such as finance, legal, IT, procurement, accounting, purchasing and more. Each should have a role in helping to inventory and classify your vendors. In the long run, a centralized process will help to reduce costs and time involved in managing your VRM program.   

2. Reduced Risk

Once all vendors are in your VRM program and classified, you’ll begin to get a good snapshot of where the third-party risk lies in your organization. All vendors should be classified by low, medium or high risk, so the vendor risk manager in charge of your VRM program can start focusing on just the medium- and high-risk vendors.

Once your high-risk vendors are pinpointed, you can begin to reduce the risk they pose on your organization by requiring them to do a risk assessment. If this assessment results in unsatisfactory risk, you’ll have the choice of asking them to remediate their risky practices or eliminate them as a vendor.

3. Maintaining Compliance

It’s critical for businesses in regulated industries to remain complaint. As third-party breaches continue to rise, regulators are cracking down on organizations that are not properly managing their third-party vendors. Regulators classify vendors as an extension of the company’s ecosystem and, as such, both the company and the vendor could be penalized and/or fined in the event of a breach.

An adequate VRM program can simplify your compliance initiatives and can satisfy all industry regulation compliance requirements, thus putting your business in a good position when the regulators arrive.

4. Reporting

After the legendary third-party breach of Target, many CEOs and Boards of Directors began taking notice of vendor relationships. As a result, many are now asking for comprehensive reports on the state of risk of the organization as it relates to vendors. Without an adequate VRM program, pulling together this information can be nearly impossible.

Ensure that your VRM program has a robust reporting component so that you can easily pull an executive summary for your Board of Directors and a detailed vendor risk report for management.

5. Defensibility

Above all, being defensible in the event of an information security breach should be at the top of every CEO’s mind. No company will ever be 100-percent secure, so it’s more important to develop your company’s defensibility.

When a breach occurs at your company, regulators, lawyers, customers and more will come after you for retribution. Your company could be liable, even if the breach was caused by a third party, if you don’t have a VRM program in place that shows your due diligence. Your company’s due diligence is shown when you take the necessary steps to both track your vendors and determine their level of risk on your company.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

free information security risk assessment tool

Vendor Risk Management (VRM) isn’t hard, but we interact with organizations every day that have complicated, manual processes, or they’re doing nothing at all.  That complexity typically comes from the lack of regulatory clarity around VRM expectations as well as the lack of enforcement.  What is a business supposed to do?  Good question…

At SecurityStudio, we encourage people to think about defensibility.  Sure, you want to identify trouble vendors early and try to manage their risk, but you will never be 100 percent successful at that.  You want to do everything you can to protect your business from a breach, but you also want to make your business defensible in court when a breach happens.  Defensibility occurs when you follow a consistent process.

So let’s start with the basics:  How do you do VRM?

  1. Follow a consistent process.  Always go through the same process and incorporate VRM as early as possible into the vendor process.  The best time to get information from a vendor is when they are striving to earn your business.  Here’s a good process to follow:
    • Get a list (inventory) of your vendors.  Finance probably has a list.
    • Classify them.  We use 3 buckets: Low, Medium and High risk.
    • Assess the risky ones.  If they’re medium or high risk send them a bunch of security questions.  Solutions include spreadsheet questionnaires, S2SCORE, SOC 2 etc.
    • Make decisions. Accept them as a vendor, ask them to fix some things first, or outright deny them.
    • Repeat annually.
  2. Make sure you document your process! Write it down so that you are defensible if/when something bad happens. 
  3. Make sure your process allows you to account for all vendors.  Sure, only a small percentage of your vendors are high risk, but from both a compliance and risk standpoint you need to account for all.  Why?  Because if a breach occurs you’ll have to answer to why you didn’t account for all vendors…
  4. Spreadsheets and a manual process are better than nothing.  Many people start this way.  I think this is primarily because there haven’t been good, cost effective VRM tools on the market until recently.  SecurityStudio is a good example of a tool designed for VRM.
  5. Don’t fall for the gimmicks.  Many services (often very expensive) claim to do VRM but they really are just vulnerability scanning publicly accessible, internet facing assets.  Information security is a combination of Administrative, Physical and Technical controls, so vulnerability scanners only offer a partial solution.

Vendor risk management isn’t that complicated, but like everything in information security the rules aren’t as clear as you’d probably like and everyone is trying to sell you a different version of a solution.  SecurityStudio simply tries to lay out a thought process that makes sense to most people.  If you like the process above, we hope you’ll take a look at SecurityStudio.

free information security risk assessment tool

On September 29, 2018, Baylor Scott & White Medical Center – Frisco, a joint venture managed by United Surgical Partners International (USPI), discovered that more than 47,000 patient records may have been compromised when the hospital uncovered an issue with the credit card processing system of a third-party vendor. The Texas hospital was required to notify federal regulators under the HIPAA Breach Notification Rule.

Data that may have been accessed by hackers includes name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used for payment, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number and status of transaction.

The hospital assures it patients that medical record information and social security numbers were not accessed; however, name, address, date of birth and medical record number may have been accessed by hackers. Under HIPAA, name, address, date of birth and medical record number are all considered protected health information (PHI).

Corrective Action

In addition to terminating the relationship with the vendor, Baylor Scott & White Medical Center – Frisco is also offering affected patients or guarantors one year of free credit monitoring services through TransUnion Interactive. However, the damage may have already been done. According to an article by Health IT Security, health information is more valuable than just credit card information or financial data alone, and hackers could sell the information on the dark web for more money than a social security number.

Breaches on the Rise

The U.S. Department of Health and Human Services Office for Civil Rights maintains a breach portal, commonly called the “wall of shame,” of all breaches of unsecured PHI affecting 500 or more individuals. Currently, the list contains more than 400 breaches in just the last 24 months. Each breach is currently under investigation by the Office for Civil Rights.

Breaches can be inevitable, but healthcare organizations must do everything in their power to protect PHI and avoid a breach. To accomplish this, a good vendor risk management program should be implemented. Third-party vendors must be inventoried, classified and assessed to determine their level of inherent risk on the healthcare organization. Once assessed, you can determine if their level of risk is acceptable, if you need them to go through a remediation process, or if you need to discontinue your relationship with this vendor. By doing so, healthcare organizations can show due care and create a defensible position in the event of a breach.

free information security risk assessment tool

The final step in the third-party vendor risk management process handles how we decide to treat the risks associated with third parties. The most objective method for risk treatment in relation to third-party information security risk management is pass/fail, acceptable/not acceptable. Either the S2SCORE meets (or exceeds) the acceptable level or it doesn’t.  This is key to standardization and defensibility.

Acceptable

If the resulting S2SCORE is acceptable, the review of the third-party information security risk is complete for this cycle. Information security risks for this third party should be reviewed again in the future, according to a schedule defined by your organization.

Not Acceptable

If the resulting S2SCORE is not acceptable, the third party will need to improve one or more of their information security controls to bring their S2SCORE above the acceptable threshold. As is true in real-life information security, there are several things that the third party could do to improve their score. The final determination will be negotiated between you and your third-party provider.

As the third party undertakes remediation, new S2SCOREs are calculated, and remediation continues until an acceptable S2SCORE is obtained. Once an acceptable S2SCORE is achieved, the review of third-party information security risk is completed until the next cycle.

Repeat Reviews

Although the review of third-party information security risk is complete, the cycle must repeat because several factors are likely to change over time. Your organization may change the way you use a specific third party, threats change, and vulnerabilities change over time. The review cycle you decide to adopt is entirely up to you and the resources you have available. The SecurityStudio default is annual.

Annual reviews should start again at the beginning of the process, Phase 1 of VRM – Inventory, by validating the accuracy of your third-party inventory.

free information security risk assessment tool

Now that you’ve completed your vendor inventory, it’s time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent risk they present to your organization. The term”inherent risk” isn’t necessarily in everyone’s vocabulary, so let’s explain what it is. Inherent risk is the amount of risk that your vendor poses to your company based strictly on how you intend to use them. It’s a very simple process to classify your third-party providers according to inherent risk.  The point in doing this is to make sure we only spend your valuable time, and the valuable time belonging to your partners, on the risks that really matter.

Inherent Risk Questionnaire

The classification process starts with the Inherent Risk Questionnaire. This is a simple questionnaire that is completed by the person within your organization who is responsible for the third-party relationship.  This is usually the person who relies on the third party to complete certain tasks on behalf of your organization, or it’s the person who arranged for using the third party in the first place.

The questionnaire is very simple and straightforward, consisting of less than 10 questions.

VENDFENSE is very flexible and meant for all organizations. We pre-populate the system with default inherent risk questions to include in the Inherent Risk Questionnaire; however, we can also include custom questions.

Classification

Third-party providers are classified according to the inherent risk they pose to your organization. The classification is automatic, based on objective criteria defined and built into the SecurityStudio Classification Scoring System. The responses provided in the Inherent Risk Questionnaire lead to a classification of High, Medium, or Low. You could choose different words or different classifications, depending on your needs. The point is that the classification criteria should be objective, be a representation of inherent risk, and the classification levels you choose should be simple and logical.

A very important reason for classifying vendors according to inherent risk is to support the reasoning that not all vendors should be subjected to the same level of scrutiny because not all vendors pose the same amount of inherent risk.

High and Medium Impact

High and Medium impact (or inherent risk) third parties require additional review.  The third parties that were classified as High or Medium impact are moved into processing at Phase 3 – Third-Party Risk Assessment.

Low Impact

Low impact third parties are not a significant concern for most organizations. The processing of Low impact third parties is done after the classification. Low impact third parties are usually not reviewed again until the next cycle (quarter, semi-annual, annual, etc.)

In some cases, the percentage of third parties who are Low impact risk is as high as 80%. This is important to note. If an organization has 1,000 third parties that they work with, as many as 800 (or more) of these third-parties don’t need any further review beyond the initial inherent risk classification. This also means that there are 800 less questionnaires to keep track of and 800 less third parties that we need to secure.  Also important is the fact that we have demonstrated our due diligence by ensuring that all third parties were classified according to objective criteria.

Once the Classification step is complete, you’re ready to start  Phase 3 of VRM – Assessment.

free information security risk assessment tool

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.

Phase 1 – Vendor Inventory


We can’t effectively protect the things we don’t know we have from the things we don’t know about. Every third party that the organization does business with must be included in the third-party inventory. It’s not that every third party poses a significant risk, it’s that we must show our due diligence regardless.

Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.

The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.

There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.

Vendor Inventory

Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:

  • Third-party providers who are sending you invoices
  • Third-party providers who are being paid with a corporate credit card
  • Third-party providers who are paid by an employee who is being reimbursed for the expense.

Vendor Onboarding

Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.

Once the Inventory and Onboarding steps are complete, you’re ready to start  Phase 2 of VRM – Vendor Classification.

free information security risk assessment tool

The topic of vendor risk management (VRM) is on the lips of nearly every CISO, IT Director, CTO/CIO and business owner in the country, and with good reason. Security breaches have reached near epidemic proportions and businesses don’t need to just worry about data being stolen. The real issue is what happens after the breach occurs when regulators, lawyers, and your own customers come after your business, trying to determine who is at fault for the breach.

Using third-party vendors adds another layer of complexity to finding the source of the breach, but even though it may have been the fault of the vendor, your business could still be liable. It’s critical to both track and monitor all vendors with a good VRM program and also classify them as low, medium or high risk so you can focus on those vendors that pose the most risk to your business. This business-critical process can help keep you out of hot water in the event of a third-party breach, but how do you know if your business is ready for a VRM program?

Use our quick guide below to determine if you should invest in a VRM program:

For a free demo of SecurityStudio, the vendor risk management tool that can help your business become simplified, standardized, and defensible, sign up.

free information security risk assessment tool