What is Vendor Risk Management?
Vendor Risk Management is the process of identifying each vendor’s risk profile and managing that risk with appropriate measures.
For each vendor relationship, the roles and responsibilities of each party are usually captured in contracts or other legal documents. While reviewing and selecting new vendors, your IT security team should participate in that process by assessing and documenting that vendor’s risk. Once the risks are clarified, the IT security team can develop strategies, plans, and technologies to reduce risk and respond to security events that might occur.
A thorough vendor risk management system allows an organization to develop a risk ranking for each vendor that they use and document their data security practices. Part of ranking each vendor includes documenting how the vendor fits into your company’s overall business continuity plan. Vendor risk is assessed against standards like NIST, ISO, CAIQ, VSO, and others and identifies and documents how your data is handled through the entire data lifecycle.
Types of Vendor Risk
Different risks to look for with your vendors include:
Governance Risk – Before signing a contract, you will want proof that your prospective new vendor has strong governance in place along with documented process, policies, and procedures.
Compliance Risk – Depending upon your industry and the data you handle in the conduct of your business, some common regulations your vendor also needs to comply with may include GDPR, PCI DSS, HIPAA. The health sector must comply with HIPAA, while GDPR is the privacy regulation if you have clients in Europe. PCI regs apply for merchants accepting and processing credit cards. Non-compliance by vendors not only reduces the trust you have in them, but also violates applicable laws and regulations. Your company may end up paying hefty penalties if a vendor compromises your business data.
Technology Risk – you need to make sure the vendor has the necessary security tools and technology to manage and remediate risk. You will want to be confident that the vendor you choose can identify and promptly report any security incidents to you. Your vendor should participate in your business continuity tabletop tests, conduct full failovers, and be able to continuously monitor and respond to cybersecurity threats.
Other Risks – beyond evaluating your vendor’s security risks, you’ll also want to check that they are properly insured and work using sound business practices. A poorly selected vendor could subject your company to reputational risk. Companies who get news coverage because hackers stole confidential data are well remembered by anyone whose personal data was accessed during that cyber breach.
Best Practices for Vendor Risk Management
Once you identify the potential risks related to vendor management, the next step for you is to work on mitigating them. Best practices for vendor risk management include:
Due Diligence – Just as vendor due diligence is conducted when one company acquires another, you should conduct due diligence for every prospective new vendor. Doing this enables you to delve into the details of your vendor’s IT structure and cybersecurity program.
Documented Privacy Policy – it is wise to have a well-documented privacy policy before you start outsourcing operations to third-party vendors. Create a program to document your vendors’ cybersecurity compliance and privacy policies, and monitor their compliance with them regularly.
Vendor Questionnaire & Risk Assessments – develop a written survey to provide a repeatable method to assess vendor risks. Carefully determine the questionnaire to assess the various risks listed above.
Risk Register – create a risk register to manage and monitor risks of all your vendors against standards like CAIQ, VSA, SIG, etc. To make the risk assessment more effective, organizations must line up the risk threshold with their evaluation measures.
Ongoing Vulnerability Assessments – testing your vendors’ applications, code, and networks for vulnerabilities is important. The vendor should share pen testing reports and remediations and plan of action milestones with you since you are ultimately responsible for your clients’ and employees sensitive data that you store and process.
Continuously Monitor your vendor’s network, cloud, endpoints, and DevOPS environments to identify and resolve risks faster. Monitoring every possible access point would be the best practice if you have the resources.
Ongoing auditing and testing your vendors network, applications, and polices is the best way to detect and respond to cyber threats.
Conclusion
You are responsible for the personally identifiable customer (and employee) that your business stores. Applying the best practices discussed above can help strengthen your company’s vendor risk program and help you use a consistent approach to analyze and onboard each new vendor.
