How to Appropriately Select Vendors and Also Manage and Monitor Their Associated Risks
In this article, I will discuss what vendor risks are and the importance of why risk associated with vendors, in support of your business, should be identified and then monitored on an ongoing basis. Further, I will discuss how organizations can actually go about identifying and monitoring those risks.
What is a Vendor/Third-Party Risk Management Process?
Simply put, a vendor/third-party risk management process is one that would guide and allow an organization to conduct appropriate due diligence during the vendor selection process while also ensuring the selected and current vendors are then monitored on an ongoing basis.
Most organizations rely on vendors to perform a variety of services, some of which are critical for operations. The aim of any vendor risk management process is to manage vendor relationships, ensure they are meeting their commitments made to you, and to minimize the risk associated with engaging with third parties.
At a minimum, as part of the due diligence of selecting and managing vendor relationships, the process would generally consist of the following two points:
- Conducting a risk assessment on the vendor’s security posture and from that, select the most appropriate vendor for your organizational needs and risk tolerance levels.
- Conduct on-going, risk-based monitoring of vendors.
The above points of the vendor management process can be easily achieved through a documented vendor risk management policy which would provide a framework for consistently evaluating, onboarding and managing the lifecycle of vendor relationships. Further, an organization’s vendor management policy and risk assessment process should formally lay out the process of identification, analysis, and management of risks. Template guides to help any organization put a policy together can typically be found at security organizations for free such as NIST, SANS, to name a few.
What Exactly is A Third-Party Vendor Risk?
Examples of third-party vendor risk: Third-party risks are simply the risks that arise from doing business with a vendor. Some examples include additional risk related to exposure of your data if you have a vendor who is handling, processing or storing your data. Another risk scenario could be an outage risk – if you are hosting your infrastructure at a third-party data center, you would certainly want to validate whether or not they have the appropriate physical and environmental security controls in place. This protects your infrastructure in the event of a disaster. Below I will outline some of the typical ways in which organizations can identify and then manage vendor risks.
As part of your overall risk assessment policy and process, vendor risks should be noted within the overall risk register, which is a list of all of your organization’s risks with outlined details on when and how they are being addressed.
How Do You Manage Vendor Risks?
Third-party vendor monitoring: A core component of any organizational risk management program is vendor management and monitoring. Once vendor contracts are signed, and services are being performed, organizations should monitor their vendor/third parties periodically (annually is best practice).
Again, prior to engaging with a new vendor who will touch, transmit, or store your data, proper due diligence on the organization is required. This includes documenting due diligence in a consistent way, through your risk management vendor policy, for all vendors.
Vendor risk assessments are one of the primary mechanisms organizations use to evaluate the vendor/subcontractor security maturity. This typically includes a security questionnaire required to be reviewed after completion. This security questionnaire could be developed in-house or obtained externally. For reference, the Standardized Information Gathering (SIG) questionnaire developed by sharedassessments.org, is a great best practice tool that many organizations can purchase and use in lieu of those vendors who do not have security audits reports to provide for your evaluation.
Below are also other great mechanisms that an organization can choose as part of their vendor policy to monitor vendor risks:
- Reviewing and reconciling output reports
- Holding periodic discussions with the third party
- Making regular site visits to the third party
- Testing controls at the third party by members of the service organization’s internal audit function
- Reviewing SOC 2 reports (type 1 or type 2)
- Monitoring external communications, such as customer complaints relevant to the services by the third-party organization.
- Vendor security questionnaire (as previously mentioned)
Your organization can select one or a few of the above to evaluate your vendors. Vendors should be periodically reviewed, or more frequently when significant changes to the services supporting your products change. Essentially, a similar process for assessing internal risks should be followed in identifying and addressing risks that your vendors pose to your products and services. Typically, if your vendor can provide you with an external audit report, such as a SOC 2 report, for example, the review of their SOC 2 report is typically enough for you to have an understanding of the overall security posture of the company.
To further highlight, in this type of audit report (a SOC 2) you would want to ensure you are validating the scope of the audit, to ensure the services you are utilizing are covered by the audit report, you would also want to confirm if there were any significant issues and exceptions found within the report to be concerned with, and lastly, you want to review the complementary user entity controls (CUECs) to confirm whether or not you have, or need to implement the controls in place necessary for the vendor to meet their commitments being made to you.
Risk-Based Approach to Vendor Monitoring
Categorizing vendors: A final point – many organizations deal with multiple types of vendors and therefore it is best to develop a risk ranking system (as part of your vendor risk management policy noted above) to categorize vendors. Those that pose the highest risk to your organization should be a priority of monitoring on a regular basis versus those vendors who pose a lesser risk. This process to determine the level of risks (high, medium, low) is described further in this article as part of your organization’s overall information security risk management processes.
Developing a well-functioning Vendor/Third-Party Risk Management program is fundamental to the security of your organization. External and internal security threats continue to grow in complexity and sophistication, and it is important to protect your brand and reputation from your vendors information security risks.
Linford and Company has extensive experience working with organizations to define their vendor risk management processes. Please contact us if you would like to learn more about how we can help you.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.