Posted on Jun 12, 2018
Organizations conduct due diligence into the third-party ecosystem but to truly protect themselves, they must perform regular vendor risk assessments to ensure vendors are properly managed and monitored over time. Not only do organizations audit their vendors, but standards and regulations often require audits of the company's vendor management program. Organizations need efficient vendor risk management audit processes that feature assessments that allow for complete and secure third-party vendor management.
A vendor risk assessment is the process of identifying and evaluating any potential risks that stem from a vendor’s operations. This assessment identifies hidden risks that otherwise may have been overlooked during M&A or vendor onboarding. The types of vendor risks include those related to compliance, reputation, finances, operations, and strategy, as well as an organization’s cybersecurity. Performing a vendor risk assessment is a part of the due diligence process and ensures that your business doesn’t begin to work with a vendor that could potentially harm or have a negative impact on business operations.
An organization should not engage with a third-party vendor until they have performed a vendor risk assessment. Once an assessment has been conducted and the vendor is approved, then the third-party can be deemed safe to work with. A business should then perform regular risk assessments on an ongoing basis and make checks when red flags occur. Regular assessments help to maintain business standards and provide visibility into vendor security. In our opinion, the more frequent, the better.
Here are the steps your business should follow when conducting a vendor risk assessment and auditing vendor risks. Use this as a checklist to ensure you’ve covered all of your bases.
Internal audit managers know that in order to assess a vendor’s risk, they must perform a vendor management audit. Successful audits begin by establishing an audit trail. The operating model, or living documents that guide the process, includes vendor categorization and concentration based on a risk assessment that uses an approved methodology. Next, organizations must supply vendor report reviews providing ongoing governance throughout the vendor lifecycle.
Additionally, businesses should evaluate the different risks associated with third-party vendors within their audit.
__ Cybersecurity Risks
__ Operational Risks
__ Compliance Risks
__ Reputational Risks
__ Financial Risks
__ Strategic Risks
Before reviewing third-party vendors or establishing an operating model, companies need to create a vendor risk assessment framework and methodology for categorizing their business partners. This process includes aligning business objectives with vendor services and articulating the underlying logic to senior management and the Board of Directors.
When auditors review risk assessments, they need documentation proving the evaluative process as well as Board oversight. For example, organizations choosing a software vendor for their quality management system need to establish risk tolerances. As part of the risk assessment methodology, the auditor will review the vendor categorization and concentration.
__ Vendors are categorized by service type
__ Access needed to internal data
__ Nature of data categorized by risk (client confidential, private data, corporate financial, identifiers, passwords)
__ Data and information security expectations
__ Financial solvency baselines
__ Contract size
__ Beneficial owners of third-party's business
__ Location of headquarters
__ IT Security Ratings
Traditionally, vendor lifecycle management incorporates five primary categories: qualifying, engagement, managing delivery, managing finances, and relationship termination. However, as data breach risk increases, companies need to include reviewing information security as a sixth category in the life cycle. Due diligence during the qualification step incorporates information security management. However, threats evolve continuously meaning that organizations need to review information security over the entire lifecycle, not just at a single point.
Before documenting activities, companies need to plan their supplier relationship management process from start to finish. As regards the audit, companies need to ensure that their supplier relationship management policies, procedures, and processes address each step in the lifecycle.
__ Process for obtaining and determining cybersecurity insurance, bonding, and business license documentation
__ Benchmarks for reviewing financial records and analyzing financial stability
__ Review process for staff training and licensing
__ Benchmarks for evaluating IT assets
__ Contracts include a statement of work, delivery date, payment schedule, and information security requirements
__ Baseline identity access management within the vendor organization
__ Baseline privileged access management for the vendor
__ Scheduling deliverables
__ Scheduling receivables.
__ Organization defines stakeholders responsible for working with the vendor
__ Establishing physical access requirements
__ Defining system access requirements
__ Establish invoice schedule
__ Establish payment mechanism
__ Revoking physical access
__ Revoking system access
__ Definitions of causes for contract/relationship termination
Download the ebook.
Creating a risk management plan primarily means policies, procedures, and processes that guide vendor management. These documents act as the skeleton for any third-party management program as well as the assessment.
__ Does it include human resources security?
__ Does it discuss physical and environmental security?
__ Does it establish baseline requirements for network and system security?
__ Does it establish baseline requirements for data security?
__ Does it establish baseline requirements for access control?
__ Does it establish baseline requirements for IT acquisition and maintenance?
__ Does it require vendors to document their vendor management program?
__ Does it define the vendor's incident response management responsibilities?
__ Does it define the vendor's business continuity and disaster recovery responsibilities?
__ Does it outline the vendor compliance requirements?
__ Is there a workflow for engaging in vendor management review?
__ Does the organization designate a stakeholder to track vendors, relationships, subsidiaries, documents, and contacts?
__ Does the organization designate a stakeholder responsible for vendor due diligence?
__ Does the organization designate a stakeholder who delivers and collects surveys and risk assessments?
__ Does the organization designate a stakeholder to manage contract review and renewal?
__ Does the organization outline a process for coordinating with legal, procurement, compliance, and other departments when hiring and managing a vendor?
__ Does the organization outline metrics and reports needed to review vendors?
Vendor report reviews are one part of ongoing vendor management governance. Proving continuous monitoring includes reviewing reports and questionnaires attesting to security.
__ Audit Reports (SOC audits, ISO audits)
__ Security questionnaires
__ Financial reports
__ Financial controls documentation
__ Operational controls documentation
__ Compliance controls documentation
__ Data breach reports
__ Access control management documentation
__ Control change management documentation
Creating an audit trail requires extensive documentation. As vendors become more integral to business operations, companies need to focus on building streamlined documentation processes that enable efficient governance.
In today's world, information security impacts several areas of vendor management for which audits require documentation. Poor information security programs leave vendors at risk for data breaches that impact their financial security, an integral part of risk evaluation and qualification. A vendor's authorization management also affects upstream clients because it places them at risk for internal actors to inappropriately access systems and databases. Vendors must monitor their downstream suppliers, but supply chain risks arise when upstream companies trust without verifying.
Organizations can use SecurityScorecard's platform to create an audit trail for their vendor management program in several ways.
Companies know how to manage their vendor risks. Documenting the supply management process can be more difficult. With SecurityScorecard, organizations can streamline both processes by documenting as they manage.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.