It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position. An organization owes it to their customers. The goal of vendor risk management is to position the organization in a defensible position by taking inventory of all vendors, measuring how much of a risk each vendor poses, assessing each vendor objectively, and then systematically repeating this process. That’s a hefty goal, so let’s break it down.
Inventory – Taking inventory of all vendors
The first step to mitigating risk is to take inventory ofall vendors. This list includeseverything from the organization’s HVAC technician, cleaning service, insurancebroker, and even the free online software provider. These are all considered vendors, and whilenot all of them have the same access to sensitive information, many vendors willhave some access to the organization’s information either physically orotherwise. The goal of taking inventoryof your vendors is to make sure that all the vendors within an organization isaccounted for. Quite simply, you don’tknow, what you don’t know.
Classify – Measuring how much of a risk each vendor poses
Not all vendors will have access to the same amount ofinformation, but it’s important to sort your vendors into buckets. Using the same classification method puts allyour vendors into perspective, and puts the organization in a defensibleposition. The HVAC technician won’tnecessarily have the same impact as an insurance broker that has access tosensitive information. However, bothvendors pose a risk – SecurityStudio has three impact levels – high, medium, andlow. By classifying vendors objectively,the right course of action can be taken to assess them appropriately.
Assess – Assess each vendor so that the appropriate actioncan be taken
The goal of the assessment process is to make sure that theright questions are being asked, and that the same questions are being asked ofall vendors within the same bucket. Thisagain will put the organization in a more defensible position. The goal of theassessment process is to be as objective as possible and to complete duediligence. It’s important to ask thesequestions now, so that in the case of an adverse event, the organization isstill defensible. Tools, like SecurityStudio,makes it easy. SecurityStudio offers acomprehensive list of questions, and the program tags who answers the questionsand timestamps when the questions are answered. The ultimate goal of the assessment is to have an objective overview ofthe vendor’s security posture so that the organization is able to make aninformed decision to either go into business or continue doing business withthe vendor. Once the results of theassessment are given, then it’s a matter of replicating the process on aregular timely basis, or as the business relationship changes.
Now that the goal is broken down, it puts things inperspective. Yes, organizations arepressured to develop a vendor risk management program by regulatory laws, butit’s more than that. It’s just the rightthing to do. Organizations owe it tocustomers to make sure that the information they provide is secure bymitigating risk the best they can and putting themselves in a defensibleposition. This is the primary goal ofvendor risk management.
To put your goals to action and get an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
Estimate your score or book free demo today
Estimator | Get a Demo
