Within a busy organization, vendor risk management (VRM) can feel like an ideal concept, but can also seem far out of reach. Armed with a vendor risk management checklist and VRM software, like
1. Develop a Plan
The first step in creating a VRM program is to create a plan. Simple enough, especially with a VRM software program like SecurityStudio. The great thing about using a program like SecurityStudio is that the VRM workflow is already built in along with most communication. Everything is centrally located in the program, and vendors move from one phase to the next with everything in plain view. Most quality VRM programs include a classification phase, and then vendors are typically assessed followed by a treatment plan. Then there’s steps to repeat the process. With a plan like this the risk manager (administrator) will need to surround themselves with a quality team to execute the plan.
2. Assemble your Team
As with any VRM program, the risk manager will want a group of professionals to help with inventorying vendors and classifying them. Talking to your team members and making sure that everyone is onboard will help with participation, and most importantly that they are given context as to how important information security is to the organization. Team members can lose focus as to how important their role is partly due to the tedious nature of tracking down information. Putting a date on task also helps with motivating people with completing them.
3. Determine a Timeline
Putting a timeline on tasks for both the team members and vendors helps with moving the process along. If there’s not a timeline, then it’s easy for the VRM program to be put to the side. Software programs, such as SecurityStudio, have built-in timelines, but the due dates and timelines can be customized if needed.
4. Inventory of Vendors
Taking inventory of the organization’s vendors is a key step in becoming defensible. Whether the organization is using a software program or a spreadsheet, there needs to be a list of vendors that can pose a possible risk in order to be defensible. This would seem like common sense, but in a lot of situations where organizations don’t utilize a VRM software program, there are incomplete, inaccurate, or outdated spreadsheets floating around in employees’ inboxes. This alone could make a case for software program like SecurityStudio, where all vendors are located in one centralized location.
5. Designating a Relationship Owner
The security analyst, risk manager, administrator of the program, or whoever is assigned these responsibilities (usually the same person) is not necessarily the right person who would have access to contact information or would have direct vendor information to accurately answer classification questions. Generally, the person who works directly with the vendor will be able to answer the questions most accurately. Of course, this can vary between organizations.
6. Categorizing/Classifying Vendors
Classifying and Categorizing vendors is arguably the most important stage of any VRM program. VRM programs will measure the risk of each vendor, and with software programs like SecurityStudio, this is done efficiently and objectively. The decisions made at this stage will set the tone and precedence for all future stages. In short, if you’re going to get one stage right, this is the one. An assessment is sent based on this classification.
7. Assess your Vendors
After the classification stage, an assessment is sent based on the results. This is especially true for vendor software programs like SecurityStudio. Assessments vary in length and scope based on classification, but it’s best practice to have binary answers to assessment questions of either true, false, or N/A. If a vendor does have a conditional answer they will be able to explain the answer in another stage (usually during remediation). Having binary answers to assessments will create a stronger, more objective, assessment.
8. Establish your Threshold
As vendors start completing assessments, it becomes time to establish best practices if the organization hasn’t already done so. For whatever method your organization chooses to assess vendors, there should be a minimum threshold as to how much risk the organization wants to take on. In SecurityStudio, where the scoring is based on a scale similar to a credit score, the program has a recommended threshold, but organizations are able to set their own threshold based on objective results. Whichever method is chosen, it’s best practice to apply the same standards for all vendors or vendors within a set industry.
9. Choosing a Treatment Plan
Once the assessment results come back, then it’s up to the organization to determine what to do with the results. At times it’s a matter of just approving the results, but if the results are not as favorable as expected, then an organization should have a plan in place. This is another sample of a situation where best practices should be established. If a vendor is far too risky to work with, or if the organization wants to give the vendor a chance to improve their results, there should be clear plan. In programs, such as SecurityStudio, it’s relatively easy to look back on assessment results, and then choose a plan based on them.
10. Objectively Repeat the Process
Vendor risk management is a never-ending process, and the VRM program needs to be repeatable in order to be effective at all. Business relationships change and morph over time, so it would only make sense that the VRM program should adjust to these changes. Not only would business relationships change over time, but VRM practices will update with time. Updating the VRM program as new threats present themselves is just as important. With programs like SecurityStudio, the changes in security practices and updates will be automatic and seamless.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!