What is Vendor Risk Management

Written by
Published 12/27/2018
Vendor risk management the need for it

As technology integration becomes the standard for business success, vendor risk management (VRM) increasingly defines the risk to your business success. The Ponemon 2018 Cost of a Data Breach Study  found that third-party vendor involvement in a breach increased the cost by more than $13 per compromised record. Thus, a robust vendor risk management program can protect your data, reputation, and business.

Vendor Risk Management eBook: The Basic Need for & Principle of It

Who are third-party vendors?

As more information moves to the cloud, organizations increasingly incorporate IT suppliers to enable business performance activities.

Software-as-a-Service (SaaS)

SaaS providers offer web-based services geared to streamline end-user experiences. For example, an email client requires little work on your end except to point-and-click on the browser. The provider does most of the back-end work.

Infrastructure-as-a-Service (Iaas)

IaaS services enable you to control the software environment but provide you equipment. For example, IaaS cloud products offer large amounts of data storage without having to invest in physical servers.

Platform-as-a-Service (PaaS)

PaaS products offer developers a cloud location in which they can test and deploy mobile application, social application, websites, and other software in ways that streamline workloads and increase speed. Microsoft Azure and Google Cloud Platform are to examples of PaaS providers.

What are the regulatory compliance requirements for VRM?

Most major regulations require formal vendor risk management policies and programs. Moreover, new regulations focus on the importance of due diligence and subsequent vendor management.

The Payment Card Industry Data Security Standard (PCI DSS) updated its Cloud Guidelines in 2018, adding guidance on vulnerability management and technical security considerations when incorporating cloud services.

The European Union General Data Protection Regulation (GDPR) requires data controllers to assess the technical controls that their outsourced data processors use.

The New York Department of Financial Services (NY DFS) Cybersecurity Rule, under Section 500.11, requires you to have a Third Party Service Provider Security Policy.

Vendor management, therefore, is a primary component of cybersecurity compliance.

What are the main risks vendors pose?

Vendors not only put your data at risk, but they can also post a business disruption risk.

SaaS providers fall under the web application security risk. Web applications can be infiltrated by cross-site scripting or SQL attacks that siphon data every time someone logs into an account.

IaaS providers increasingly find themselves targets of Distributed Denial of Service (DDoS) attacks that leave the services unavailable. Thus, you need to incorporate vendor management as part of business disruption and disaster recovery policies.

PaaS providers pose the same risks as both IaaS and SaaS providers.

Planning for these risks to both data and business continuity requires you to monitor vendor controls as though they were yours.

What are the main components of a vendor risk assessment?

Your vendor risk assessment contains several parts. Understanding each step can help you make decisions appropriate to your organization’s needs.

List Vendors

Understanding all the different vendors that your organization integrates can be a daunting process. You not only need to focus on the most important vendors but also the smaller third-party services you incorporate into individual departments.

Assess Criticality

Once you list the vendors, you need to decide which ones enable critical business operations.

Review Information Accessed

Vendors gain access to different information depending on their function within your organization. You need to know whether a third-party accesses personally identifiable information or other protected information. Moreover, you should also determine whether they need access to it or not.

Identify Threats

While many vendors pose similar data threats, you should not automatically assume that they do. Some third-parties may pose larger risks to your information based on their controls or previous data breaches.

Assign A Risk Rating

You need to decide whether the systems, networks, and types of data your vendor accesses poses a high risk, medium risk, or low risk to your company if the vendor experiences a breach.

Analyze Risk

After assigning the vendor and the information risk ratings, you need to analyze the risk by taking the liklihood of the risk and multiplying it by the level of risk. This step in the process allows you to get a more detailed picture of the actual risk. Something that can have a large dollar or business impact may be extremely unlikely which lessens the overall risk. Thus, the analysis provides a full picture of multiple aspects of the vendor’s risk to you data security.

Create Risk Response

After determining whether the vendor is high, medium, or low risk based on the liklihood of impact to your business in conjunction with the level of impact, you can decide whether you want to accept, refuse, mitigate, or transfer the risk.

Set Controls

If you decide to accept or mitigate the risk, you need to establish controls to protect your information.  These controls should focus on access controls like multifactor authorization and unique login identifiers as well as encryption and firewalls.

Define Terms for Service Level Agreement

Once you set controls, you need to make sure that your vendors use the same ones. When contracting with vendors, you need to define your cybersecurity risk tolerance and appropriate controls within your service level agreement (SLA). This way you know that your vendor agrees to maintaining a cybersecurity stance that aligns with yours.

Monitor Continously

It’s not enough to set controls. You need to monitor your vendors’ compliance and security. Since their risk is your risk, if a vendor does not maintain a robust cybersecurity stance, neither do you.

How ZenGRC Enables Vendor Risk Management

By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables you to manage the mundane tasks associated with vendor risk management and ensure a robust program.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

For more information about creating a vendor risk management program, read our ebook “Vendor Risk Management: The Basic Need for It. The Basic Principle of It.