5 Vendor Management Policy Best Practices

By Phoebe Fasulo

Posted on Oct 26, 2020

Vendors are a critical piece of most organizations’ businesses. Vendors — particularly cloud-based services – help companies deliver services, streamline their business processes, and scale their operations quickly and efficiently.

With reliance on vendors, however, comes risk. Data breaches caused by third parties are more difficult to control, predict, or prevent than those that occur in-house and they’re also more expensive. Ponemon’s latest Cost of a Data Breach report once again found third parties to be a cost amplifier when it comes to data breaches. If a third party is involved in a data breach, that breach will cost an average of $207,411 more than $3.86 million, the average cost of a data breach.

That sort of risk has meant that organizations look to vendor risk management (VRM) as a vital risk mitigation strategy. Managing vendor risk, however, can be overwhelming — often organizations work with many vendors and other third parties and verifying every vendor’s controls can be a difficult task.

To make vendor risk management programs easier to manage, companies need a clear and comprehensive vendor management policy. This policy should identify your riskiest vendors, define controls to minimize that risk, and act as a strong foundation for your vendor risk management strategy.

Best practices for defining your vendor risk management policy

It’s important to remember that your vendors are an extension of your enterprise. That's why they’re a risk; some vendors have access to data and networks you don’t want to be exposed to. As you create your vendor risk management policy, know that you'll be following some of the same processes you followed when you wrote your own cybersecurity policies.

1. Know who your vendors are

    You may have some idea of who your vendors are, but it is important to know exactly who all your vendors are if you’re going to be monitoring them. This will mean going to each department and asking for a list of their vendors, because some departments may own relationships the rest of the organization isn’t aware of. Make sure you obtain as complete a list as possible.

    2. Know which vendors pose the most risk

      When it comes to risk management, not all vendors are created equal. When you’re compiling your list of vendors, you’ll want to do more than find out who they are. You’ll also need to know what data, networks, software, and devices each vendor is able to access. Vendors who don’t have access to sensitive data or systems are low-risk; if they’re attacked, you’re unlikely to suffer a breach. Your cloud provider, however, is at high risk. If they experience a data incident, your data is at risk.

      3. Set controls

        Once you’ve identified the risks, you can set controls and metrics for the vendors that pose the greatest risk to your data. You can do this by defining the sorts of controls that you’ll require your vendors to use, and incorporating these controls into your policy and into contracts with any new vendors. You’ll also want to choose metrics that will help you measure your vendors’ compliance with these controls, such as time to install a security patch or time to detect a breach.

        4. Continuously monitor

          You’ve set controls and metrics for your vendors but how can you actually tell how long it’s taken for them to install a patch or detect a breach? Continuous monitoring using a platform that monitors risk — such as security ratings — allow you to monitor the cyberhealth of your vendors in real-time, without having to rely on the snapshots provided by static forms of monitoring, like questionnaires.

          5. Know the difference between vendors and other third parties

            When we’re talking about cybersecurity and breaches, the phrases “third party” and “vendor” are used interchangeably. There are, however, differences between the two. Vendors, for example, sell goods and services. They can be an individual (a freelancer, for example) or an organization (a business.) Third parties are not individuals. They’re business entities that provide mission-critical goods and services to an organization or its customers. Those differences matter because the controls you’d impose on an individual contractor are different than the ones you’d impose on a major channel partner, and the risks themselves are different.

            How SecurityScorecard can help

            Managing third party relationships, particularly monitoring them, can be an onerous administrative task. A tool that automates parts of the process can free up your team for higher-level tasks and make your organization safer.

            Our intelligent tool, Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your vendors’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately, so you don’t have to devote personnel’s time to sending and chasing down questionnaires.
            SecurityScorecard’s easy-to-read Security Ratings, based on an A-F scale, enable you to align your security priorities with the metrics you’ve set up for your vendors. If they fall out of compliance, you’ll know as soon as it happens.

            No waiting, 100% Free

            Get your personalized scorecard today

            Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

            Get Your Free Score

            Get In Touch

            Thank you for contacting us!