Published January 22, 2019 • By Karen Walsh • 3 min read
Every risk management program should include vendor management, but beware: vendor management is a complex process itself, requiring continual monitoring and measurement.As you bring new vendors into your organization’s orbit, and as the processes and procedures of existing vendors change, your organization will need assurance that those third parties are complying with the cybersecurity controls outlined in the service level agreements that you’ve established with them. And to measure vendor compliance, you’ll need to establish key performance indicators (KPIs).
Importance of Vendor Management KPIs
KPIs are essential for measuring and monitoring vendor performance and for conducting vendor performance reviews, which are crucial for supplier management.The first place to look for KPIs is within the service level agreements (SLAs) you and your vendor agree upon. Your SLAs define the metrics you can use to determine the vendors’ conformity with your cybersecurity requirements. Tying KPIs to SLAs can help you to:
Track and monitor suppliers’ compliance with contracts;
Know when the vendor is falling short of expectations, and in what areas;
Work with vendors to improve performance issues;
Compare and contrast multiple vendors’ performance;
Resolve issues to avoid harm to your own productivity or services;
Ensure that your business is making the best use of vendors’ services; and
Vendor management KPIs benefit your overall business objectives as well. They can help with cost reduction savings, customer satisfaction, and your organization’s continuous improvement.
How to Set KPIs for Vendors
Your KPIs should be based on your company’s internal risk assessment.The risk assessment can help you decide which third parties in your supply chain place your company most at risk. Then you can rank vendor risk according to:
Which corporate information your vendors are permitted to access;
Which systems they can access;
How important each vendor is to your business operations.
A vendor would be at high risk when it has access to systems or networks that are critical to your business continuity or to protected information. For example, if you’re storing highly sensitive or protected information in the cloud, then your cloud service provider (CSP) would be high risk, and you would need to monitor its security often, if not constantly. On the other hand, if the information you’re storing on the cloud is publicly available (say, white papers used for marketing purposes) then your CSP would be a low risk; you could monitor its security less frequently. Criteria for setting KPIs include:
Compliance requirements: If your vendor needs to meet a compliance standard or regulation, check recent security audits or Systems and Organizational Controls for Service Organizations (SOC) reports to review how well they manage their compliance.
Staff training: Review the vendor’s training records for insights into how well its personnel understands their responsibilities and into the vendor’s cybersecurity culture overall. If employees are scoring low on tests, the vendor’s team is not cyber aware—and could increase the risks to your information.
Cybersecurity incidents: If a vendor has experienced a data breach or data event, you need to know that. Your contract should require the vendor to notify you when an incident happens. (You must also double-check for incidents, in case the vendor doesn’t disclose them.)
Security patch management: Review each vendor’s security patch management policies and procedures, as well as its patch management logs, to ensure that patches are installed and updated in a timely manner.
How to Review KPIs Using Automation
To maintain a strong vendor management program, you need to know how well your vendors manage their data environments. Automation can help with the following tasks:
Vendor reviews: An automated platform can create workflows for requesting and reviewing vendor documentation.
Review prioritization: An automated system can issue high-priority alerts reminding you to follow up with your highest-risk vendors more frequently.
Communication: An automated solution can collect and store your communications with vendors to provide evidence of your oversight for auditors examining your own performance.
Analysis: Automation software can analyze reports for indications of breaches and recovery time.
Continuous monitoring: Automation is the only effective way to continuously monitor your vendors’ security environment, the effectiveness of their controls, and their compliance with regulatory and industry frameworks.
How ZenGRC Enables KPI Monitoring for Vendor Management
ZenGRC’s System-of-Record streamlines your vendor management workflow, tracks tasks from start to finish, and collects all your vendor-management documentation. As a result, your teams can better communicate with one another about vendor relationships and discuss issues with vendors, too.ZenGRC’s streamlined workflow feature shows task managers the dates on which vendors responded to queries and the status of the task at hand. Compliance managers no longer need to spend time following up with your (many) third-party contractors.ZenGRC’s automated features do the tedious tasks for you, allowing you to focus on the bigger compliance picture. The result: more efficient and effective vendor risk management. Worry-free vendor risk management is the Zen way. Contact us today for your free demonstration.