Vendor Risk Management Policy & Why You Need One

Posted on Jul 3, 2018

While many organizations have an internal security policy in place, they often lack a clear understanding the inherent risks third-party vendors pose, which often come with IT security concerns of their own. The first step to creating a vendor management program is establishing the policy that formalizes your risks and controls to ensure consistency. Since your policy establishes the written basis of your program, the steps will feel familiar.

Setting up a Vendor Risk Management Policy:

  • Catalogue the third-party vendors your organization uses.
  • Conduct a thorough assessment of the risks posed by third parties. This should include risk scoring and classification
  • Organize and consolidate your existing third-party profiles.
  • Review and define your procedures for monitoring third parties.
  • Continuously monitor vendor activity once your risk management policy is in place.
  • Remedy any IT security gaps in your third-party vendors.

Catalogue Your Vendors

The first step of an effective vendor management policy is asking “who are my business third and fourth party business partners?” This step involves creating a list of all your vendors, including every third-party vendor, contractor, and even their partnerships and third-party vendors. Vendors are a service asset, so the same way that you catalog your systems and networks, you need to put together a list of your vendors. This list helps you focus on the risks to your ecosystem. Starting with the “who” of a vendor management process then allows you to move to the “what.”

Clearly Identify the Risks

Once the list is created, there are two important classifications for each vendor. The next question to ask yourself is “what access do vendors have?”

  1. Whether or not a vendor has direct access to your network.
  2. The level of access vendors need to have to your sensitive data.

Different vendor access poses different risk and requires different data protections.  Key points to consider are the services provided, a vendor’s access to internal data, and the data involved such as confidential client data, passwords, and personally identifying information.

Not all vendors require the same system, network, and data access. A healthcare plan that works with your human resources department accesses different information than your marketing management system. The information and networks vendors need to do their work  define the level of criticality and impact. These, in turn, define the risk.

Security Scorecard enables you to review the risks that third party information security partners pose to your information. Our ratings align with traditional grading systems. An A rating indicates a strong security posture, while an F rating indicates a weak security posture. Therefore, our security ratings offer a concrete metric to identify those vendors whose activities can harm your organization.

Organize and Consolidate Your Third-Party Profiles

Once you determine the risk your vendors pose, you will notice that they fall into a variety of risk categories. These categories define the controls you put in place to mitigate the risks. For example, a system or network access control might include role-based access controls. Vendors accessing personal health data or personally identifying information must be better secured than those accessing publicly available information or not accessing systems at all.

By aggregating third party service providers into role base profiles, you can better organize the controls that apply to them. Security Scorecard offers you the ability to group vendors by profile within the system. You can organize them in a variety of ways to meet your policy’s needs, including by impact to your company. This allows you to see trends across your ecosystem.

Review and Define Monitoring Procedures

Now that you reviewed the risks your vendors pose, you need to establish procedures for continuous and ongoing monitoring, onboarding third parties, procedures for termination, and oversight. Vendor risk management policies start with the risks posed and end with the action items that protect your company from those risks. For example, if you are a retail organization using a payment processing system that experiences a data breach, your business may go bankrupt. Your vendor risk management policy procedures start with trusting vendors but ultimately require verifying them.

Your vendor management policy should incorporate a discussion of:

  • Service Level Agreements
  • Vendor compliance standards
  • Acceptable vendor controls
  • Vendor liability in the event of a data breach
  • Vendor review (SOC 1/2/3 reports, site visits, audits)
  • Termination of contract for noncompliance with security standards
  • Board and Senior Management oversight requirements

Continuously Monitor You Vendor Ecosystem

Vendor management requires continuous monitoring and oversight. Your policy needs to discuss how you plan to do this. Historically, organizations use audits to assess a vendor’s stability. Organizations collected documentation that showed the effectiveness of their controls during a point-in-time or period-in-time. These insights help alleviate concerns, but hackers do not limit themselves to a period of time. They evolve and attack continuously.

Therefore, part of a good vendor risk management policy incorporates continuous monitoring beyond audits. Machine learning and big data provide insights into your vendor’s information security profile. SecurityScorecard’s security ratings review organizations from the outside to see how well they can protect themselves. Our proprietary algorithm, ThreatMarket, incorporates ten factors that predict a secure data environment. For example, by scanning publicly available data, ThreatMarket can determine whether an organization maintains software updates. If they do not, then they place their company at risk of a breach for known software vulnerabilities. Since our security ratings constantly scan the internet, you can track vendor health.

Mitigate Third-Party Risks

Finally, your policy needs to address how you plan to mitigate a vendor risk when you find an IT security gap. Once you detect a vendor whose security posture puts you at risk, you need to establish steps that mitigate that risk. Action items can include contacting the vendor, monitoring their remediation process, and, in the extreme, terminating the relationship. Once you notify a vendor that they pose a risk to your security, you need to refer back to the trust but verify method. You can trust that they will close their IT gap, but you need to verify their success.

SecurityScorecard enables remediation monitoring by allowing to track the vendor’s security ratings. Since we continuously scan the external threats to environments, we can update a security rating to reflect the effect remediation steps have on the environment. You can use these ratings, therefore, as metrics by which your policy determines remediation success or failure.

A vendor risk management policy only establishes your organization’s goals. Now, you have to find a way to enact this policy within the organization. With SecurityScorecard’s easy-to-digest vendor ratings, you’ll gain invaluable insights into the potential risk of third-party vendors and, by continuously monitoring your vendors, prevent cybersecurity attacks before they become problems.

The Risk of Going Without a Vendor Risk Management Policy:

  • If you’re in a regulated industry, such as finance or healthcare, you could be out of compliance and even risk financial penalties.
  • Third-party vendors often have access to your sensitive data, which makes you an easy target for attackers to exploit.
  • Worse, many organizations lack insight into the IT security vulnerabilities posed by their third-party vendors, which makes you extremely vulnerable to attack.
  • Simply put, if you don’t have a vendor risk management policy in place, you’re putting the health of your organization in jeopardy. Some of the top data breaches grabbing headlines today were due to negligence by third-party vendors.

While creating and maintaining an effective vendor risk management policy takes a substantial amount of hard work and effort, the threat to your organization is very real. To mitigate the risks third-party vendors pose, you must audit and continuously monitor their activities. Failure to do so could cost your organization.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!