Posted on Jul 3, 2018
While many organizations have an internal security policy in place, they often lack a clear understanding the inherent risks third-party vendors pose, which often come with IT security concerns of their own. The first step to creating a vendor management program is establishing the policy that formalizes your risks and controls to ensure consistency. Since your policy establishes the written basis of your program, the steps will feel familiar.
Setting up a Vendor Risk Management Policy:
The first step of an effective vendor management policy is asking “who are my business third and fourth party business partners?” This step involves creating a list of all your vendors, including every third-party vendor, contractor, and even their partnerships and third-party vendors. Vendors are a service asset, so the same way that you catalog your systems and networks, you need to put together a list of your vendors. This list helps you focus on the risks to your ecosystem. Starting with the “who” of a vendor management process then allows you to move to the “what.”
Once the list is created, there are two important classifications for each vendor. The next question to ask yourself is “what access do vendors have?”
Different vendor access poses different risk and requires different data protections. Key points to consider are the services provided, a vendor’s access to internal data, and the data involved such as confidential client data, passwords, and personally identifying information.
Not all vendors require the same system, network, and data access. A healthcare plan that works with your human resources department accesses different information than your marketing management system. The information and networks vendors need to do their work define the level of criticality and impact. These, in turn, define the risk.
Security Scorecard enables you to review the risks that third party information security partners pose to your information. Our ratings align with traditional grading systems. An A rating indicates a strong security posture, while an F rating indicates a weak security posture. Therefore, our security ratings offer a concrete metric to identify those vendors whose activities can harm your organization.
Once you determine the risk your vendors pose, you will notice that they fall into a variety of risk categories. These categories define the controls you put in place to mitigate the risks. For example, a system or network access control might include role-based access controls. Vendors accessing personal health data or personally identifying information must be better secured than those accessing publicly available information or not accessing systems at all.
By aggregating third party service providers into role base profiles, you can better organize the controls that apply to them. Security Scorecard offers you the ability to group vendors by profile within the system. You can organize them in a variety of ways to meet your policy’s needs, including by impact to your company. This allows you to see trends across your ecosystem.
Now that you reviewed the risks your vendors pose, you need to establish procedures for continuous and ongoing monitoring, onboarding third parties, procedures for termination, and oversight. Vendor risk management policies start with the risks posed and end with the action items that protect your company from those risks. For example, if you are a retail organization using a payment processing system that experiences a data breach, your business may go bankrupt. Your vendor risk management policy procedures start with trusting vendors but ultimately require verifying them.
Your vendor management policy should incorporate a discussion of:
Vendor management requires continuous monitoring and oversight. Your policy needs to discuss how you plan to do this. Historically, organizations use audits to assess a vendor’s stability. Organizations collected documentation that showed the effectiveness of their controls during a point-in-time or period-in-time. These insights help alleviate concerns, but hackers do not limit themselves to a period of time. They evolve and attack continuously.
Therefore, part of a good vendor risk management policy incorporates continuous monitoring beyond audits. Machine learning and big data provide insights into your vendor’s information security profile. SecurityScorecard’s security ratings review organizations from the outside to see how well they can protect themselves. Our proprietary algorithm, ThreatMarket, incorporates ten factors that predict a secure data environment. For example, by scanning publicly available data, ThreatMarket can determine whether an organization maintains software updates. If they do not, then they place their company at risk of a breach for known software vulnerabilities. Since our security ratings constantly scan the internet, you can track vendor health.
Finally, your policy needs to address how you plan to mitigate a vendor risk when you find an IT security gap. Once you detect a vendor whose security posture puts you at risk, you need to establish steps that mitigate that risk. Action items can include contacting the vendor, monitoring their remediation process, and, in the extreme, terminating the relationship. Once you notify a vendor that they pose a risk to your security, you need to refer back to the trust but verify method. You can trust that they will close their IT gap, but you need to verify their success.
SecurityScorecard enables remediation monitoring by allowing to track the vendor’s security ratings. Since we continuously scan the external threats to environments, we can update a security rating to reflect the effect remediation steps have on the environment. You can use these ratings, therefore, as metrics by which your policy determines remediation success or failure.
A vendor risk management policy only establishes your organization’s goals. Now, you have to find a way to enact this policy within the organization. With SecurityScorecard’s easy-to-digest vendor ratings, you’ll gain invaluable insights into the potential risk of third-party vendors and, by continuously monitoring your vendors, prevent cybersecurity attacks before they become problems.
The Risk of Going Without a Vendor Risk Management Policy:
While creating and maintaining an effective vendor risk management policy takes a substantial amount of hard work and effort, the threat to your organization is very real. To mitigate the risks third-party vendors pose, you must audit and continuously monitor their activities. Failure to do so could cost your organization.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.
Download the complete guide to building your vendor risk management program and learn how to identify your organization's most critical third-party risk factors.