It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position. An organization owes it to their customers. The goal of vendor risk management is to position the organization in a defensible position by taking inventory of all vendors, measuring how much of a risk each vendor poses, assessing each vendor objectively, and then systematically repeating this process. That’s a hefty goal, so let’s break it down.
Inventory – Taking inventory of all vendors
The first step to mitigating risk is to take inventory of all vendors. This list includes everything from the organization’s HVAC technician, cleaning service, insurance broker, and even the free online software provider. These are all considered vendors, and while not all of them have the same access to sensitive information, many vendors will have some access to the organization’s information either physically or otherwise. The goal of taking inventory of your vendors is to make sure that all the vendors within an organization is accounted for. Quite simply, you don’t know, what you don’t know.
Classify – Measuring how much of a risk each vendor poses
Not all vendors will have access to the same amount of information, but it’s important to sort your vendors into buckets. Using the same classification method puts all your vendors into perspective, and puts the organization in a defensible position. The HVAC technician won’t necessarily have the same impact as an insurance broker that has access to sensitive information. However, both vendors pose a risk – SecurityStudio has three impact levels – high, medium, and low. By classifying vendors objectively, the right course of action can be taken to assess them appropriately.
Assess – Assess each vendor so that the appropriate action can be taken
The goal of the assessment process is to make sure that the right questions are being asked, and that the same questions are being asked of all vendors within the same bucket. This again will put the organization in a more defensible position. The goal of the assessment process is to be as objective as possible and to complete due diligence. It’s important to ask these questions now, so that in the case of an adverse event, the organization is still defensible. Tools, like SecurityStudio, makes it easy. SecurityStudio offers a comprehensive list of questions, and the program tags who answers the questions and timestamps when the questions are answered. The ultimate goal of the assessment is to have an objective overview of the vendor’s security posture so that the organization is able to make an informed decision to either go into business or continue doing business with the vendor. Once the results of the assessment are given, then it’s a matter of replicating the process on a regular timely basis, or as the business relationship changes.
Now that the goal is broken down, it puts things in perspective. Yes, organizations are pressured to develop a vendor risk management program by regulatory laws, but it’s more than that. It’s just the right thing to do. Organizations owe it to customers to make sure that the information they provide is secure by mitigating risk the best they can and putting themselves in a defensible position. This is the primary goal of vendor risk management.
To put your goals to action and get an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!