Posted on Oct 22, 2015
Two facts have radically transformed vendor risk management and the need for template use in just the past few years:
“We want a level playing field in assessing vendors,” said the CIO at a large East coast credit union. His institution, which heavily depends on third party vendors for its technology solutions, wants to ally only with the highest-rated vendors, the ones who add the lowest risk to the equation, as a matter of policy.
But the question is: How to level that playing field, in a time efficient and fair way, so that the best vendors are chosen? Templates and questionnaires are needed.
Understand, first, many companies continue to lag when it comes to third party assessments. Some, according to multiple security consultants, still do not ask to see even basic reporting, such as standardized penetration testing.
“I can count on one hand the clients who have asked to see our test results,” said a Maryland security consultant, who asked for anonymity to spare his client's embarrassment.
But, little by little, that indifference is evaporating. A big factor is that templates, based on frameworks such as the ISO/IEC 2700 family of standards, the OCC guidelines, and others, are playing an ever bigger role in vendor risk management.
There are two obvious pluses to templates. First, they speed up the assessment process. There is no need to reinvent the vendor risk wheel. For the executive who complains that he or she does not have the time to do proper assessments, templates are the answer. Secondly, templates truly help ensure that every vendor is held to the same set of standards and frameworks.
The right template can be crafted to assure compliance with regulatory requirements.
“Templates provide a standardized method for completing supplier risk assessments to ensure compliance,” said Craig Nelson, a Managing Director at Alsbridge, a global consulting firm.
A well-crafted template, usually provided by an experienced third party risk assessment expert, helps provide assurance that the assessment is in fact on target and thorough. The key question is: Are you collecting the right data about this vendor? With a template, the answer should be an unequivocal yes.
A well-constructed template also digs into key issues, such as:
These are simple, straightforward concerns, but the answers really do matter. In many cases, this part of the assessment readily lends itself to automation
Do you trust a vendor running XP on all its systems, browsing with an unpatched Internet Explorer 7, and who has not applied an Adobe or Java patch in three years?
Tip for SecurityScorecard Customers: Type in a website address into the platform to retrieve detailed security-risk information instantly, without intruding on a vendor’s system.
A template also does not overlook important issues in the crush of business. For instance, it might be easy to shrug off questions about how your vendors handles their vendors, but a good template will insist on answers. A template keeps us on course, and that is why they have become indispensable in most vendor risk management approaches.
Is a template the final answer? No. A template provides a running head start. It also establishes the baseline for going forward, so all vendors are judged by roughly the same set of criteria.
But, understand, a template is still only a baseline. A Word template for writing a screenplay will not guarantee an Oscar for your mantle. An Excel template for an expense report does not guarantee the document will be accepted by your bosses on one hand or the IRS on the other.
To raise the confidence about the level of security afforded by templates there has to be serious thought about using any template along with a determination to honestly portray the facts of the situation. A template does not do your thinking for you or provide your research. It just points where to look for answers.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of an IT risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.