Posted on Jun 1, 2018
Two facts have radically transformed vendor risk management and the need for templates in third party risk assessments:
“We want a level playing field in assessing vendors,” said the CIO at a large East coast credit union. His institution, which heavily depends on third party vendors for its technology solutions, wants to ally only with the highest-rated vendors, the ones who add the lowest cyber security risk to the equation, as a matter of policy.
But the question is: How to level that playing field, in a time-efficient and fair way, so that the best vendors are chosen?
The answer? A third party risk assessment template.
Understand, first, many companies continue to lag when it comes to vendor management and risk assessments. Some, according to multiple cyber security consultants, still do not ask to see even basic reporting, such as standardized penetration testing.
“I can count on one hand the clients who have asked to see our test results,” said a Maryland cyber security consultant, who asked for anonymity to spare his client's embarrassment.
But, little by little, that indifference is evaporating. A big factor is that templates, based on frameworks such as the ISO/IEC 2700 family of standards, the OCC guidelines, and others, are playing an ever bigger role in vendor relationships.
There are two obvious pluses to templates. First, they speed up the risk assessment process. There is no need to reinvent the vendor risk wheel. For the executive who complains that he or she does not have the time to do proper cyber security risk assessments, templates are the answer. Secondly, risk assessment templates truly help ensure that every vendor is held to the same set of standards and frameworks.
The right risk assessment template can be crafted to assure compliance with regulatory requirements and help protect confidential information.
“Templates provide a standardized method for completing supplier risk assessments to ensure compliance,” said Craig Nelson, Managing Director at Alsbridge, a global consulting firm.
“Templates provide a standardized method for completing supplier risk assessments to ensure compliance.” ——Craig Nelson, Managing Director, Alsbridge
A well-crafted template, usually provided by an experienced third party risk assessment expert, helps provide assurance that the vendor evaluation is in fact on target and thorough. The key question is: Are you collecting the right data about this vendor? With a strong risk assessment template, the answer should be an unequivocal yes.
A well-constructed template also digs into key issues, such as:
These are simple, straightforward concerns, but the answers really do matter. In many cases, this part of the assessment readily lends itself to automation.
Do you trust a vendor running XP on all its systems, browsing with an unpatched Internet Explorer 7, and who has not applied an Adobe or Java patch in three years to take the necessary steps in preventing a cyber security breach in your business? Me neither.
Tip for SecurityScorecard Customers: Type in a website address into the platform to retrieve detailed security-risk information instantly, without intruding on a vendor’s system.
A risk assessment template also does not overlook important issues in the crush of business. For instance, it might be easy to shrug off questions about how your vendors handle their vendors, but a good template will insist on answers. A template keeps everyone on course, and that is why they have become indispensable in most vendor risk management approaches.
Is a risk assessment template the final answer? No. A template provides a running head start.
It also establishes the baseline for going forward, so all third party vendors are judged by (roughly) the same set of criteria. But, understand, a risk assessment template is still only a baseline for vendor evaluations.
To raise the confidence about the level of security afforded by risk assessment templates there has to be serious thought about using any template along with a determination to honestly portray the facts of the situation, and then implement the proper solutions. A template does not do your thinking for you or provide your research. It just points where to look for answers when managing vendors.
This blog was originally posted on 10/22/2015. It has been fully re-written and updated as of June 1, 2018.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.
Download the complete guide to building your vendor risk management program and learn how to identify your organization's most critical third-party risk factors.