Level the playing field with a vendor risk assessment template.
Two facts have radically transformed vendor risk management and the need for templates in third party risk assessments:
- There’s increased awareness that vendors are often the weak links that allow cybersecurity breaches to occur
- Federal regulators are increasingly vocal about the need for aggressive due diligence and thorough vendor risk management which has left a lot of companies stymied about their next steps
“We want a level playing field in assessing vendors,” said the CIO at a large East coast credit union. His institution, which heavily depends on third-party vendors for its technology solutions, wants to ally only with the highest-rated vendors, the ones who add the lowest cybersecurity risk to the equation, as a matter of policy.
But the question is: How to level that playing field, in a time-efficient and fair way, so that the best vendors are chosen?
The answer? A third-party risk assessment template.
Using a vendor management risk assessment template is becoming the new baseline
Understand, first, many companies continue to lag when it comes to vendor management and risk assessments. Some, according to multiple cybersecurity consultants, still do not ask to see even basic reporting, such as standardized penetration testing.
“I can count on one hand the clients who have asked to see our test results,” said a Maryland cybersecurity consultant, who asked for anonymity to spare his client's embarrassment.
But, little by little, that indifference is evaporating. A big factor is that templates, based on frameworks such as the ISO/IEC 2700 family of standards, the OCC guidelines, and others, are playing an even bigger role in vendor relationships.
There are two obvious pluses to templates. First, they speed up the risk assessment process. There is no need to reinvent the vendor risk wheel. For the executive who complains that he or she does not have the time to do proper cybersecurity risk assessments, templates are the answer. Secondly, risk assessment templates truly help ensure that every vendor is held to the same set of standards and frameworks.
Face regulatory compliance head-on
The right risk assessment template can be crafted to assure compliance with regulatory requirements and help protect confidential information.
“Templates provide a standardized method for completing supplier risk assessments to ensure compliance,” said Craig Nelson, Managing Director at Alsbridge, a global consulting firm.
“Templates provide a standardized method for completing supplier risk assessments to ensure compliance.” ——Craig Nelson, Managing Director, Alsbridge
A well-crafted template, usually provided by an experienced third party risk assessment expert, helps provide assurance that the vendor evaluation is in fact on target and thorough. The key question is: Are you collecting the right data about this vendor? With a strong risk assessment template, the answer should be an unequivocal yes.
A well-constructed template also digs into key issues, such as:
- How old is the technology used by this vendor (one still using Windows XP probably will be downgraded unless there are extenuating circumstances)?
- Have all programs had all key patches applied?
These are simple, straightforward concerns, but the answers really do matter. In many cases, this part of the assessment readily lends itself to automation.
Do you trust a vendor running XP on all its systems, browsing with an unpatched Internet Explorer 7, and who has not applied an Adobe or Java patch in three years to take the necessary steps in preventing a cyber security breach in your business? Me neither.
Tip for SecurityScorecard Customers:Type in a website address into the platform to retrieve detailed security-risk information instantly, without intruding on a vendor’s system.
Get the vendor risk answers you need
A risk assessment template also does not overlook important issues in the crush of business. For instance, it might be easy to shrug off questions about how your vendors handle their vendors, but a good template will insist on answers. A template keeps everyone on course, and that is why they have become indispensable in most vendor risk management approaches.
Is a risk assessment template the final answer? No. A template provides a running head start.
It also establishes the baseline for going forward, so all third party vendors are judged by (roughly) the same set of criteria. But, understand, a risk assessment template is still only a baseline for vendor evaluations.
To raise the confidence about the level of security afforded by risk assessment templates there has to be serious thought about using any template along with a determination to honestly portray the facts of the situation, and then implement the proper solutions. A template does not do your thinking for you or provide your research. It just points where to look for answers when managing vendors.
This blog was originally posted on 10/22/2015. It has been fully re-written and updated as of June 1, 2018.