• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

How to Conduct a Vendor Risk Assessment [5 Step Checklist]

06/12/2018

Organizations conduct due diligence into the third-party ecosystem but to truly protect themselves, they must perform regular vendor risk assessments to ensure vendors are properly managed and monitored over time. Not only do organizations audit their vendors, but standards and regulations often require audits of the company’s vendor management program. Organizations need efficient vendor risk management audit processes that feature assessments that allow for complete and secure third-party vendor management.

What Is Vendor Risk Assessment?

A vendor risk assessment is the process of identifying and evaluating any potential risks that stem from a vendor’s operations. This assessment identifies hidden risks that otherwise may have been overlooked during M&A or vendor onboarding. The types of vendor risks include those related to compliance, reputation, finances, operations, and strategy, as well as an organization’s cybersecurity. Performing a vendor risk assessment is a part of the due diligence process and ensures that your business doesn’t begin to work with a vendor that could potentially harm or have a negative impact on business operations.

When to Perform a Vendor Risk Assessment

An organization should not engage with a third-party vendor until they have performed a vendor risk assessment. Once an assessment has been conducted and the vendor is approved, then the third-party can be deemed safe to work with. A business should then perform regular risk assessments on an ongoing basis and make checks when red flags occur. Regular assessments help to maintain business standards and provide visibility into vendor security. In our opinion, the more frequent, the better.

How to Conduct a Vendor Risk Assessment and Audit in 5 Steps

Here are the steps your business should follow when conducting a vendor risk assessment and auditing vendor risks. Use this as a checklist to ensure you’ve covered all of your bases.

Step 1: Assess vendor risks

Internal audit managers know that in order to assess a vendor’s risk, they must perform a vendor management audit. Successful audits begin by establishing an audit trail. The operating model, or living documents that guide the process, includes vendor categorization and concentration based on a risk assessment that uses an approved methodology. Next, organizations must supply vendor report reviews providing ongoing governance throughout the vendor lifecycle.

Additionally, businesses should evaluate the different risks associated with third-party vendors within their audit.

Identify Types of Vendor Risk

__ Cybersecurity Risks

__ Operational Risks

__ Compliance Risks

__ Reputational Risks

__ Financial Risks

__ Strategic Risks

Step 2: Create vendor risk assessment framework

Before reviewing third-party vendors or establishing an operating model, companies need to create a vendor risk assessment framework and methodology for categorizing their business partners. This process includes aligning business objectives with vendor services and articulating the underlying logic to senior management and the Board of Directors.

When auditors review risk assessments, they need documentation proving the evaluative process as well as Board oversight. For example, organizations choosing a software vendor for their quality management system need to establish risk tolerances. As part of the risk assessment methodology, the auditor will review the vendor categorization and concentration.

Risk Assessment Qualitative Documentation

__ Vendors are categorized by service type

__ Access needed to internal data

__ Nature of data categorized by risk (client confidential, private data, corporate financial, identifiers, passwords)

__ Data and information security expectations

Risk Assessment Quantitative Documentation

__ Financial solvency baselines

__ Contract size

__ Beneficial owners of third-party’s business

__ Location of headquarters

__ IT Security Ratings

Step 3: Manage the vendor lifecycle

Traditionally, vendor lifecycle management incorporates five primary categories: qualifying, engagement, managing delivery, managing finances, and relationship termination. However, as data breach risk increases, companies need to include reviewing information security as a sixth category in the life cycle. Due diligence during the qualification step incorporates information security management. However, threats evolve continuously meaning that organizations need to review information security over the entire lifecycle, not just at a single point.

Before documenting activities, companies need to plan their supplier relationship management process from start to finish. As regards the audit, companies need to ensure that their supplier relationship management policies, procedures, and processes address each step in the lifecycle.

Qualifying

__ Process for obtaining and determining cybersecurity insurance, bonding, and business license documentation

__ Benchmarks for reviewing financial records and analyzing financial stability

__ Review process for staff training and licensing

__ Benchmarks for evaluating IT assets

Engagement

__ Contracts include a statement of work, delivery date, payment schedule, and information security requirements

Information Security Management

__ Baseline identity access management within the vendor organization

__ Baseline privileged access management for the vendor

Managing Delivery

__ Scheduling deliverables

__ Scheduling receivables.

__ Organization defines stakeholders responsible for working with the vendor

__ Establishing physical access requirements

__ Defining system access requirements

Managing Finances

__ Establish invoice schedule

__ Establish payment mechanism

Terminating Relationship

__ Revoking physical access

__ Revoking system access

__ Definitions of causes for contract/relationship termination

The Guide to Building Your Vendor Risk Management Program

Download the ebook.

Learn More

Step 4: Create a vendor risk management plan

Creating a risk management plan primarily means policies, procedures, and processes that guide vendor management. These documents act as the skeleton for any third-party management program as well as the assessment.

Vendor Risk Management Policy

__ Does it include human resources security?

__ Does it discuss physical and environmental security?

__ Does it establish baseline requirements for network and system security?

__ Does it establish baseline requirements for data security?

__ Does it establish baseline requirements for access control?

__ Does it establish baseline requirements for IT acquisition and maintenance?

__ Does it require vendors to document their vendor management program?

__ Does it define the vendor’s incident response management responsibilities?

__ Does it define the vendor’s business continuity and disaster recovery responsibilities?

__ Does it outline the vendor compliance requirements?

Procedures

__ Is there a workflow for engaging in vendor management review?

__ Does the organization designate a stakeholder to track vendors, relationships, subsidiaries, documents, and contacts?

__ Does the organization designate a stakeholder responsible for vendor due diligence?

__ Does the organization designate a stakeholder who delivers and collects surveys and risk assessments?

__ Does the organization designate a stakeholder to manage contract review and renewal?

__ Does the organization outline a process for coordinating with legal, procurement, compliance, and other departments when hiring and managing a vendor?

__ Does the organization outline metrics and reports needed to review vendors?

Step 5: Stay up-to-date with ongoing governance

Vendor report reviews are one part of ongoing vendor management governance. Proving continuous monitoring includes reviewing reports and questionnaires attesting to security.

Vendor Report Documentation

__ Audit Reports (SOC audits, ISO audits)

__ Security questionnaires

__ Financial reports

__ Financial controls documentation

__ Operational controls documentation

__ Compliance controls documentation

__ Data breach reports

__ Access control management documentation

__ Control change management documentation

How SecurityScorecard enables better VRM audit and assessment outcomes

Creating an audit trail requires extensive documentation. As vendors become more integral to business operations, companies need to focus on building streamlined documentation processes that enable efficient governance.

In today’s world, information security impacts several areas of vendor management for which audits require documentation. Poor information security programs leave vendors at risk for data breaches that impact their financial security, an integral part of risk evaluation and qualification. A vendor’s authorization management also affects upstream clients because it places them at risk for internal actors to inappropriately access systems and databases. Vendors must monitor their downstream suppliers, but supply chain risks arise when upstream companies trust without verifying.

Organizations can use SecurityScorecard’s platform to create an audit trail for their vendor management program in several ways.

  1. Use quantitative benchmarks – First, as part of the risk assessment analysis, companies can use quantitative benchmarks for reviewing vendors. Companies can document a vendor’s security rating, relate it to their risk tolerance, and use it as a qualitative metric that links to both data controls and financial stability. Additionally, the easy-to-digest grades of A through F ease the pain of explaining risks to the Board and ensure proper oversight documentation.
  2. Access the same information – Second, SecurityScorecard’s SaaS platform allows multiple stakeholders to access the same information. For example, the payroll department focuses on a vendor meeting PCI compliance requirements while the legal department focuses on Sarbanes-Oxley compliance. A shared vocabulary across the enterprise eases the burden of documenting stakeholder responsibilities across the enterprise.
  3. Identify leaked data – Third, SecurityScorecard identifies leaked credentials and factors related to social engineering that provide insight into the effectiveness of a vendor’s employee security awareness training. Training documentation shows that the vendor provided education, SecurityScorecard provides insight into how well the employees apply the information.
  4. Track security rating changes – Fourth, with SecurityScorecard companies can define cohorts that allow them to group vendors and track security rating changes within the groups. This functionality provides documentation supporting the categorization and classification of vendors when an auditor reviews a risk assessment methodology.
  5. Verify reports – Fifth, cybersecurity ratings allow companies to verify reports and questionnaires that vendors provide. For example, a SaaS vendor can submit a SOC 2 report attesting to the effectiveness of their controls at the time of the report. However, threats evolve, and controls fail. SecurityScorecard’s ratings incorporate network security, DNS health, patching cadence, endpoint security, IP reputation, and web application security. Since our threat reconnaissance capabilities continuously monitor the IT ecosystem, we update our security ratings regularly. Tracking vendors in the platform, therefore, allows organizations to verify the trust they place in their vendors.

Companies know how to manage their vendor risks. Documenting the supply management process can be more difficult. With SecurityScorecard, organizations can streamline both processes by documenting as they manage.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube