Third Party Risk Management Automation: Compliance’s EvitePublished October 19, 2017 by Karen Walsh • 5 min read
Practicing third party risk management is like hosting a fancy party. Everyone wants to get in, but you need to make sure that only the most important, well-vetted VIPs get past that velvet rope. To do this, you’re checking their credentials at the door. The problem is that even the credentials check doesn’t stop things from getting out of control during a party. In the same way that a party host needs to intercept inappropriate behavior in a bar, you need to be ready to terminate relationships when they start to become dangerous to your customers.
Just like you need to manage your party RSVP with an automation tool, you should book a demo to learn how to transform third party governance and risk management into an opportunity.
Check Their ID: Review the IT Security Protocols
Before you even let someone into the party, you need to make sure that they meet the legal requirements for getting into the bar. Just like party hosts check IDs at the door, you need to check your vendor IT security protocols before entering into a contract together.
Understanding your vendors means understanding the regulations and standards with which they need to comply. This means that you need to do your due diligence to protect yourself. Your vendor may need to be compliant with PCI DSS, SOX, or both. In doing this review, you should consider whether you want a SOC 2 or SOC 3 report from them.
Make Sure They RSVP: Use the Vendor Security Alliance Questionnaire
When you host a party, you want to know who’s coming in advance, so you send out invitations. These function as questionnaires for your guests. Who are they? How many are they bringing? How do they know you, the host?
The PCI Vendor Security Alliance (PCI VSA) questionnaire offers the information security version of an invite. Whether you and your vendors fall under the PCI DSS compliance umbrella, the PCI VSA is an excellent resource since it consists of data security firms that help merchants with PCI DSS compliance. This means that their documents are held to the highest standard. If you’re looking for quick and easy access to documents that help you vet your vendors, this is a safe choice to help you focus your queries.
Introduce Yourself to the Plus Ones: Ensure The Vendor Does Penetration Testing
You’ve sent out the invites, but now you need to make sure that those who RSVP’d are supposed to be there. When you’re hosting a party, sometimes your friends bring a +1 you didn’t expect. Everyone knows that the unknown quantity can be the biggest problem.
By making sure that your vendors are doing penetration testing, you confirm that they aren’t going to bring that party ruiner to your gala. While you can’t expect detailed reports, you should be able to call with follow up questions if the executive level summary concerns you. If you need to call, ask the vendor to explain their plan to correct the issue and their timeline to complete the correction. You should also detail this in your documentation of your own vendor management process.
What happens when you get that friend of a friend who suddenly shows up? Maybe your friend has mentioned this person, maybe not. So you ask them questions to get to know them.
The same is true for vendors. While it may seem meta to ask a vendor about how they vet their vendor, it’s one of the best ways to get a clear view into their processes. Documents tell the story of intention. Conversations tell the story of reality. When you’re assessing risk, you want to make sure that reality and intent align.
Take the Keys: Assess the Vendor’s Financial Health
You’re not going to check your guests’ savings accounts at the door. You are, however, going to make sure that they don’t drive drunk. This might mean requiring a key drop or checking to make sure they’re not already intoxicated when they arrive because you can be liable for any accident they cause later.
When you invite third parties to work with you, you need to know that they’re not going to put you at risk because of their pre-existing condition. This step might seem obvious; however, sometimes vendors get sketchy about their financial situations. This means that while you should discuss this with your vendor personally, you can also get a Dunn & Bradstreet report or search the website for the Secretary of State where the vendor’s headquarters is located. These methods help you assess unbiased, publicly available information.
Getting to Know You: Know the Location of Physical Facilities
When you’re talking to the people your guests bring, you make sure that you learn who they are and get to know them. No, you’re not going to ask their address, but you are going to keep an eye on them to make sure they’re not engaging in any untoward behavior towards other guests. After all, the last thing you want is to get a bad reputation for hosting parties where your guests are rude.
Knowing the location of physical facilities is the vendor management equivalent of trying to establish the safety of your guests. This is an important data point whether or not you’re worried about a break in the financial viability of your vendor. For example, if your vendor has physical locations in a high crime area, you might need to rethink using them as a server center lest someone break in and steal the servers. In addition, if the company is having a hard time meeting rent, they may be located in a low-rent, high crime area. This is another indicator of their financial health.
Make Sure Your Buddy has Your Back: Analyze Support Availability
Your buddy just brought a friend to your party. That’s fine, but your buddy better have your back if their friend is a problem. As the party host, you need to know that your friends are going to make sure their +1s don’t put everyone else at risk. If you can’t trust your friend to back you up, maybe you don’t want that friend coming in the first place.
Depending on your purpose for partnering with this vendor, you may need to call for support. Back to the server example—if your server dies, then so does all your data. You want to be prepared for any event and know that your vendor is your partner in maintaining ongoing business activities. If the vendor isn’t providing you with the necessary all-around services, then you may need to seek out someone else.
The Evite Party Planner of Third Party Risk Management
If you’ve ever thrown a party, you’ve used Evite. Evite not only sends out the invitations but also tracks the RSVPs and sends out reminders to those who haven’t responded. Instead of having to collect addresses, write everything down, hand-address and mail the invites, you simply import your contact list to your Evite account. Moreover, when you’re done with that, the automation tool does everything else so that you know who’s coming to your party and can plan appropriately.
When trying to close gaps in third party risk management, you need the compliance version of Evite. ZenGRC does the work of task management for you so that you can send out the information and be automatically updated with who’s responded. Instead of having to call people and follow up, you let the tool do the administrative work.
In the same way that party planning automation tools have simplified your social life, let automated compliance tools simplify your work life.
Book a demo today to see how ZenGRC can change your approach to managing third party risk in a changing regulatory environment just as Evite changed how you plan parties.