Third Party Vendor Management Audit ProgramPublished November 20, 2018 by Karen Walsh • 4 min read
Increasingly business operations require service providers who can enhance your overall strategic operations. Whether you’re a retailer who needs a vendor or a healthcare provider seeking an electronic health records third-party vendor, you need to engage in due diligence and create a third-party vendor risk management audit program.
Vendor Management Audit
What Are Supply Stream Information Security Risks?
Data breaches from within your supply stream function as the single largest information security threat. The IBM X-Force Threat Intelligence Index (2018) found that the volume of injection-type attacks nearly doubled in 2017. According to the report, , 79% of attacks were injection based. Injection based attacks occur when a malicious actor attempts to control or hijack a system by placing malicious code into servers or systems.
What does that mean to third-party vendor risk management? Malware injection attacks trick cloud-based systems and services into providing information. Whether it’s through a SQL injection, cross-site scripting attack, or command injection, these malicious injection attacks exploit weaknesses in the cloud-based Software-as-a-Service (SaaS), Platform-as-a-Service(PaaS), or Infrastructure-as-a-Service (IaaS) vendors to gain entrance to your data.
Why You Should Start with a Third-Party Risk Assessment
A risk assessment requires you to review the potential threats your third-party service providers bring with them. Unfortunately, as threats evolve, risks change. Since malicious actors continuously update how they infiltrate information, you need to start with the primary risks and expand to a continuous monitoring model.
Some basic risks inherent in using third-party vendors include:
- Network access
- System access
- Authorization access
- Data access
- Malware and ransomware threats
- Regulatory compliance risks
How Risk Assessment Differs from Vendor Management
Risk assessment means you’ve made a list of potential risks that a vendor poses to your data environment. Vendor management focuses on the life-cycle of the relationship.
Think about a vendor risk management program as being akin to being a manager for a baseball team. If you’re trying to mitigate the risk of injury to your pitchers, you’re not going to start the same pitcher in every game. You need to figure out the best strategy for choosing a starting pitcher for each team you’re going to face. A general manager for a baseball team needs to align pitcher choices to specific opposing team weaknesses. A single strategy won’t work for every game.
In vendor risk management, you need to do the same thing.
Each third-party vendor comes with different risks. Some may be slower to run security patch updates while others may have firewall issues. You need to create an overarching strategy that protects your information by looking at the weaknesses vendors bring with them. You need to mitigate the threats while also establishing a long-term process for adjusting to a shifting threat environment.
Creating a Vendor Management Process with a Security-First Approach
Starting with your security-first approach, your internal risk management program establishes controls and risk mitigation strategies that you feel adequately protect the integrity, confidentiality, and accesssibility of information. After establishing controls you find acceptable, you can use them as a template for creating a vendor management program.
Your SaaS, PaaS, and IaaS providers not only enable business operations, but some are critical to maintaining business continuity. Therefore, to mitigate business interruption risk, you need to ensure that throughout the relationship life-cycle you trust vendors but also verify their controls.
How to Use Audit Reports to Enable Third-Party Risk Management
If you’re using vendors to ease IT burdens associated with your business, you need to verify that they maintain a cybersecurity stance aligning to yours. Sure, audit reports provide external assurance over a vendor’s information security risk management. However, traditional audits fail in the cybersecurity context. To protect yourself from the upstream and downstream supply chain risks, you need to continuously monitor your third-party service providers and engage in continous auditing over the systems, software, services, and networks they enable.
All third-party risk management programs rely on service level agreements that define termination requirements. While you might be tempted to use an audit report as proof, very few vendors are going to have negative audits.
But what happens in between those adutis? That’s what you need to know. Creating a continuous monitoring program with continuous records to support continuous auditing over vendors helps protect your information.
How Automation Supports the Continuous Auditing of Vendors
It’s hard to know what your vendors are doing all the time. However, you can maintain better control over their activities by using automated tools. Big data analytics increasingly allow you to aggregate publicly available information giving real-time insights into vendor activities.
Additionally, by continuously monitoring known vulnerabilities that may impact your vendors, you can review their security stance to ensure it aligns with yours.
Patch management, for example, is a threat you can easily monitor. Knowing your vendors’ security controls means you also know whether they’re running Windows, Mac, or Linux operating systems. Following the security updates for these operating systems and ensuring that vendors regularly and rapidly update their operating system and other vulnerable software means you’re continuously overseeing the risks they pose to your data environment.
Additionally, you need to maintain continuous records of these monitoring activities. No matter where you are in the supply chain, you need to be able to prove to your customers that you’re engaging in the appropriate review of your vendors’ threats so that up or down the chain you mitigate risks the best way possible.
How ZenGRC Enables Continuous Vendor Audit Management
ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.
GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.