InfoSec teams have a lot on their plate to ensure their companies are secure and their data is protected against third-party threats. One aspect of their job that has grown in importance recently is both conducting and responding to vendor assessments.
As with any new process, there are going to be pains as you start identifying what works and what doesn't. The initial approach to vendor security assessments was built around email and spreadsheets.
That was fine in the beginning when there were a limited number of vendors to assess, but as the number of vendors has increased, it has not proven to be sustainable long term. The good thing is we're seeing a shift from those manual processes to an automated one driven by platforms built specifically to handle this task.
However, implementing a new tool is just a jumping-off point. There are still a number of tasks related to vendor risk management that are consuming a lot of the InfoSec team's time according to the 2021 State of Vendor Security report, including:
- Reviewing vendor responses, identifying gaps/risks, and writing up the final assessment. (28%)
- Determining vendor risk levels and what information to request from the vendor. (23%)
- Tracking vendor contact information and other relevant info from internal stakeholders. (22%)
- Discovering which vendors need to be assessed. (18%)
- Communicating the results of the vendor assessment internally, to the vendor, and working through any remediation or follow-up tasks. (8%)
Read the 2021 State of Vendor Security report
In our 2021 report on vendor security, we highlight the current state of vendor risk management, identify trends we’re seeing in the industry, and provide recommendations on how to improve the process for buyers, sellers, and other key stakeholders.
Have a well-defined process in place
The first thing you'll want to do is nail down your assessment methodology so it is clear what questions and key controls you need to dig in and validate and which controls you can rely on the vendor's answers.
With unlimited time and resources, we would do 100% validation on everything, but it's just not possible, so documenting an assessment methodology allows you to prioritize and focus and not be concerned that you aren't turning over every stone.
It doesn't have to be complicated
Keep it simple. A best practice is to use a single standard for all assessments and then apply varying levels of validation based on vendor risk. This goes back to determining a set of key controls for different risk levels. Every control isn't created equal. Some are going to be more important and relevant than others.
A good exercise to help you tease out those key controls is to ask this question, "If I could only ask 25 questions of my vendor for each assessment, what would they be?" This forces you to prioritize what is most critical to your business.
Create a single source of trust for your vendors
First and foremost, establish a formal system of record for vendors and assign a relationship owner to every vendor. Next, establish a repeatable process to keep contact information for vendors up-to-date. Like access administration, vendor maintenance should happen periodically where you identify who the individual is that owns the relationship and is responsible for the vendor's use and performance. They may not know all of each relationship's details, but they are responsible for finding out keeping your records accurate. A few of the important data points include the type of data shared, the volume of data, level of access each vendor has, and internal systems.
Assess vendors based on risk
Determining which vendors need to be evaluated should be very black and white and determined based on risk, not on an ad-hoc basis. To do this effectively, you should document a simple risk model. To help you understand better, here's an example of a simple risk model: Type of data + volume of data + criticality of vendor + access type = Risk (High/Medium/Low).
Your VRM Policy or procedure should clearly lay out what type of assessment, if any, is required for each Risk level. Doing so takes out the guesswork and allows for a consistent, repeatable process.
Key stakeholders should determine reporting requirements
Understand who your primary stakeholders are and let THEM determine the reporting requirements. This will be an iterative process. What level of data do they want to see or have access to? The best VRM programs look and act like a consulting firm. They are providing a service to their internal stakeholders and should treat them as clients. In this type of relationship, The client (stakeholders) provide input into the requirements.
With respect to remediation and follow-up, a good best practice is to have a remediation methodology similar to your assessment methodology documented. Develop a risk rating model for determining risk for each finding and have defined actions for each level of risk. A simple risk model uses impact vs. likelihood.
InfoSec teams that implement these best practices should see an increase in their efficiency and deliver a streamlined process for assessing vendor risk.