For many InfoSec teams, the vendor assessment process requires many moving pieces and sharing of information. The back-and-forth between an internal sales or procurement team, the vendor point of contact, the vendor’s InfoSec team, and other stakeholders can quickly become convoluted and confusing. This is also equally true for the information itself that is being shared between teams.
Sharing security documentation with vendors
Vendor risk management and security operations boils down to sharing security documentation between teams to ensure compliance and a secure partnership. Without clear transparency into security controls, other vendor connections, and risk factors, it is impossible to make a secure vendor partnership happen. Unfortunately, sharing risk documentation, assessments, questionnaires, controls, and more security information with vendors means opening up this information to more hands than can be controlled.
Sending security documentation via email or as a Word document or spreadsheet gives others the ability to edit and/or change the information you’re sharing. This can be especially tricky when InfoSec team members need to make an addition or edit for one vendor without changing documentation for all vendors. Luckily, security teams can maintain control of this documentation and content without restricting visibility for internal and external stakeholders.
Maintaining control throughout the vendor assessment process
Building a single source of truth for your security documentation is critical to maintaining content control throughout the VRM process. This way, your InfoSec team can have complete ownership over all security documentation and share it with stakeholders (both internal and external) whenever needed. Your team can make real-time updates to a single assessment or change all of your security documentation if the need arises. This allows for transparency between teams and visibility into security controls without limiting access.
Here are a few additional tips for controlling security documentation:
- Control internal access to security information. While your sales or procurement team may ask for access to your security documentation, it’s a good idea to keep editing and updating privileges specifically for your InfoSec team so things don’t get changed on an ad-hoc basis.
- Do a pre-screening of vendors before sharing your security controls. Before sending any security documentation to a new or potential vendor, run a quick audit of the organization’s public information and/or industry reputation to get ahead of any potential risks.
- Publish your vendor assessment process so there are no questions. Your team can get ahead of potential questions, confusion, and process issues by publishing your vendor assessment process. This way, vendors know what they will be getting into before entering into the VRM workflow, which can help mitigate any unnecessary risk.
Stay on top of your security documentation with Whistic
With the Whistic Security Profile, InfoSec teams can build secure security documentation catalogs, share with vendors and customers, and not have to worry about unrestricted access to documentation. As your team updates security controls or needs to add assessment, your Security Profile can be edited in real-time, and the changes will publish automatically, ensuring your vendors always have the most up-to-date information possible.
You can learn more about the Whistic Security Profile here.