Vendor Management Workflow for Vendor Risk AssessmentsPublished September 27, 2018 by Karen Walsh • 4 min read
Chances are, your enterprise uses third-party vendors to streamline your business processes. However, those vendors have digital connections, and so increase the risk to your data security controls.
A strong vendor risk management program is critical to overall enterprise risk management. And successful vendor risk management requires a well-organized workflow so that you always know what’s being done, who’s doing it, and where tasks stand as you respond to operational risks and threats arising from third-party vendors.
Here we’ll provide tips to strengthen your vendor risk management program. For a more thorough and detailed look at third-party risk management, check out our ultimate guide to third-party vendor risk management.
Tips to Improve Your Vendor Risk Assessment Process
Today’s business lives in the cloud, never more so than now, when more employees than ever are working from home in the wake of the COVID-19 pandemic. Using cloud service providers, remote conferencing software, and other third-party vendors, however, increases your risk.
The first step toward managing vendor risks is to assess them. Here’s how to get started:
1. Mind your supply chain.
According to Dark Reading, third-party providers cause the most expensive data breaches. Some of the costliest data breaches have involved third-party-hosted infrastructure vendors and third-party cloud services.
These third parties may have nearly unlimited access to your information–such as the web applications that provide employees access to your organization’s databases. These databases may contain highly sensitive information.
Stay apprised of your third parties’ security, including that of your cloud provider. Know what third parties your third parties use, and so on, all along the supply chain, and how secure those fourth and fifth parties are.
2. Know your regulatory compliance requirements.
Industry standards such as those established by the International Standards Organization (ISO) provide guidance for establishing best practices. Non-compliance with regulations and laws, however, increase the risks to your organization as well as the likelihood of penalties and fines.
Federal and state laws regulate risk management in the financial services industry. The Federal Financial Institutions Examination Council (FFIEC) IT examination handbook requires banks to:
- Assess whether each third-party relationship supports the institution’s overall objectives and strategic plans
- Evaluate prospective third-party providers based on the scope and importance of the services they provide
- Tailor their third-party management program based on an initial and ongoing risk assessment of third parties and the services they provide
The US Department of Health and Human Services, which oversees the Health Insurance Portability and Accountability Act of 1996 (HIPAA), notes that as part of the National Institute of Standards and Technology (NIST) security risk assessment, healthcare providers should ask:
- What are the external sources of electronic personal health information (e-PHI)? For example, do our vendors or consultants create, receive, maintain, or transmit e-PHI?
While some organizations seek compliance certifications as a way to gain customer trust, the healthcare and financial services industries must comply with regulations or face possible fines and penalties. Will you be ready at audit time?
3. Conduct a third-party risk assessment.
“Trust but verify” is advice we often hear from information security professionals. Verification can be difficult. You may not be familiar with your vendors’ business processes. A risk assessment can give you the information you need to keep your data and systems safe and secure.
Vendor risk assessments follow a workflow similar to the risk analysis you use for your business operations. Questions include:
- What types of information do your vendors collect, transmit, and store?
- Which vendors are critical to business operations?
- Which vendors access your systems, networks, and servers?
- What levels of access do your vendors have to these systems, networks, and servers?
High-risk vendors critical to your business operations usually have access to sensitive data in your systems, networks, and servers. For example, your human resources department may use a third-party healthcare benefits platform that allows employees to set up their insurance. A breach of that vendor could compromise your private employee information.
4. Do your due diligence.
Identifying risks is only your first step to third-party risk management due diligence. Your second step is to verify that your vendors follow the protocols they detailed in the documents they filled out for you.
Historically, vendor risk management has relied on questionnaires and audit reports, trusting the vendor to provide accurate, up-to-date information.
These questionnaires provide insight into the strategies that companies intend to use–but communications may break down or daily business practices fall out of alignment with intentions. Meanwhile, cybersecurity threats emerge and change continually. A vendor may be secure today, but a new threat may arise tomorrow that makes them a liability.
Appropriate due diligence requires that you continuously monitor of the vendor’s data environment.
How to create a security-first vendor management program
If you have many vendors, managing them may seem overwhelming–unless you realize that vendor management is merely one component in your overall compliance strategy. If yours is a security-first compliance program, you’re a step ahead of many companies.
When you view security as your primary goal and then align compliance to your controls, you most likely continuously monitor your data environment. Extending that monitoring to your vendor management program means eyeing your vendors’ security controls the way you monitor your own.
Use real-time threat monitoring to review the potential threats your vendors pose and help them secure their data so that you can protect your own.
Use ZenGRC for simple, security-first vendor management
Vendor risk management means reviewing your third-party providers’ security as diligently as you review your own. However, CISOs need tools that help manage the influx of alerts.
One person can’t be in contact with every vendor, every day. Even businesses with few vendors can find it difficult to get organized enough to continuously monitor and stay in contact with them.
ZenGRC, our software-as-a-service, simplifies task management for vendor risk management programs. Using it, compliance officers can assign remediation work and capture all the relevant data about each task: the requester, the assignee, the current status of the task, and the necessary deadlines.
Now your CISO can use a workflow that streamlines your vendor management program and helps keep your organization secure. With ZenGRC, you’ll know where tasks stand in the process. Nothing falls between the cracks because there are no cracks. Vendor risks get managed with ease and efficiency, and you’re free to turn your attention to other, more pressing tasks, like satisfying your customers and boosting your bottom line.
Worry-free vendor risk management is the Zen way. Why not contact us for a demo today?