KPI’s For Evaluating Your Vendor Management Program

Written by
Third Party Vendor Management Audit Program

Creating a vendor management program is difficult. However, that’s only the first part of the process. To fully implement your plan, you need to measure its effectiveness at reducing risk. To do that, you need objective key performance indicators (KPIs) for determining how well your vendors comply with the outlined controls in the service level agreement.

Key Performance Indicators For Your Vendor Management Program

How to determine which vendors matter

Your KPIs should be based on your risk assessment. Before measuring your vendors’ cybersecurity, you need to decide which third-parties most place your company at risk. This means you need to rate the individual vendors based on:

  • Information they access
  • Systems they access
  • Importance to continued business operations

A high-risk vendor would be accessing either a system or network critical to your business continuity, or they would be accessing protected information. Thus, these require more oversight than other vendors.

For example, if you’re storing protected information in the cloud, then you need to continually monitor that cloud service provider’s security. If you’re storing only public information, such as whitepapers used in marketing, then you don’t need to monitor that vendor as often.

How to set KPIs for vendors

The first place to look for KPIs is your service level agreements (SLAs). Your SLAs define the metrics by which you determine your third-parties alignment to your cybersecurity profile.

Compliance Requirements

If your vendor needs to meet a compliance standard or regulation, the first place you can look is the audit reports or SOC reports to review how well they’re managing their compliance. If these reports indicate a security problem, you need to rethink the relationship.

Staff Training

Reviewing training records can give you insight into how well the vendor’s staff understands their responsibility. This review also provides visibility into the culture that management creates. If the training indicates low scores, then it means the team is not cyber aware. Thus, they can be putting your information at risk because they’re easy targets for a phishing campaign or a stolen password.

Reported Cybersecurity Incidents

You need to know whether a vendor has experienced a data breach or data event. As part of their notification requirements, they should tell you. If not, then you need to make sure that you’re researching online to determine whether they have been breached. Often, cybersecurity professionals will post this information on professional websites or blogs.

Security Patch Management

With vendors, this one becomes a bit trickier. You can’t be in their organization looking at all their computers. However, a single employee device missing a security patch can put the vendor and its entire supply line at risk.

How to use automation to review KPIs

To maintain a robust vendor management program, you need to be able to gain insight into how well your vendors are managing their data environments.

Automate the review process

You can use automation to help you maintain an effective vendor management program. Rather than having to set notifications for review, an automated platform can create a workflow for requesting and reviewing vendor documentation.

Prioritize reviews

Focus on your highest risk vendors first. These vendors control and process information critical to your business operations. If you’re using an automated system, then you can enable high priority alerts for these vendors so that you can follow up with them.

Communicate with vendors

If you receive an alert that a vendor’s security is compromised, make sure to document your oversight. You can’t control their actions, but you can make sure to talk to them about your concerns.

Focus on details

When reviewing the reports provided, look for the information that indicates whether a breach occurred. It’s important not only to consider the existence of a breach, but the time it took to recover. The longer it took them to recover from a breach or event, the less you can trust them.

Continuously monitor

You can’t just rely on reports that your vendor provides. You need to be continuously monitoring their security. Being proactive about your vendor management program requires you to review their environment continuously. Using an automated system that provides visibility into their data control effectiveness can help measure their compliance. Audit reports and SOC reports only evaluate controls at a given moment in time. Since malicious actors never stop looking for ways into systems and networks, you need to find a solution that provides this visibility for you.

Using the information to review vendor cybersecurity

If you’ve clearly outlined security requirements in your SLA, then you can use the knowledge you gained from your automated solution to determine the vendor’s compliance with the contract.

For example, if your SLA is vague, then you can’t do much. However, if you’ve included specific language in the contract, you can reach out to your vendor and discuss your concerns more effectively.

Security and Backup

In your SLA, you may want to include language that addresses the use of encryption technology or the access and authentication requirements, such as passcode strength and multi-factor authentication.

You can align your findings of employee cyber awareness with this requirement. If the employees aren’t meeting training standards, they might not comply with the SLA.

Network Resilience

The SLA should clearly define the amount of time it takes to recover from an attack after the vendor identities it. The SLA should also incorporate a level of attack severity. For example, if your SLA defines an attack on network infrastructure of a prescribed level leads to a service outage, you need to include the time you’re willing to accept for the vendor to recover.

Then, using the information you obtained, you can determine whether the vendor recovered in time. If the vendor’s service outage arose out of a Distributed Denial of Service (DDoS) attack, you need to know how long it took them to get everything back online, especially for business-critical infrastructures. If they did not meet the timeline, you could start having the crucial conversations about continuing the relationship.

How ZenGRC Enables KPI Monitoring For Vendor Management

ZenGRC’s System-of-Record streamlines your workflow so you can eliminate emails while tracing outstanding tasks. This enables better communication within your organization to help management and your IT department discuss vendor relationships.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, but it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information, contact us for a demo.