There are many ways to slice and dice your vendor risk management program – an increasingly important practice in today’s world of complex ecosystems and imperative data protection. The following is what our solution engineer would advise if starting from scratch.
The vendor class will tell you a lot about how to manage your relationship, specifically how much scrutiny to apply during the pre-contract due-diligence assessment.
1. Vendor Risk Tiering
Classify the exposure created by your vendors by assessing the likelihood and impact of a cyber event.
Begin The Assessment
After classifying vendors, you will know what the scope of the assessment should be.
1. Determine Assessment Scope & Necessary Questions
Each vendor tier will have a corresponding assessment scope – high-risk vendors should be assessed via questionnaire and a corresponding on-site evaluation, while lower-risk vendors can be assessed with a lower level of rigor such as a questionnaire and desktop document validation.
Regardless of tier classification, each vendor should complete a self-assessment questionnaire. The questionnaire should only include relevant questions that show what level of risk a vendor will expose you to. Include well-documented expectations and guidelines, as well as a deadline.
3. Validate Vendor Assertions
Examine evidence provided by your vendor that prove their controls are operating effectively, such as policies, procedures, audit results, etc.
4. Ongoing Monitoring
Continue to update your data as there are changes in your relationship with your vendor.
A well-designed questionnaire should have a corresponding analysis component. Scoring a questionnaire can be difficult, but it’s important to know dynamic issue status as it evolves – which is why we suggest issue-based scoring.
1. Create a Matrix
Relate your questions to negative answers, to issue severity and mitigation strategies.
2. Track Issues
Know the dynamic status of each issue at all times – this way, no exposure will go unaddressed.
3. Address Findings
Hold your vendors accountable for helping you close the issues that must be addressed. When you define your program policies, plan for how you deal with issues given its severity in a repeatable fashion. This will ensure consistency in your approach.
Building a strong VRM program is essential to the security of your business and its data. Each component will require constant fine-tuning, especially while your program evolves in maturity and sophistication. If you’re looking for an innovative, dynamic approach, schedule a demo or read our Vendor Risk Management Guide to learn more.
Vendor Risk Management Guide: The 3 Fundamentals
Join The CyberGRX Exchange
Whether you are an enterprise or a vendor, the CyberGRX Exchange will act as a force multiplier for your third-party risk management program. The efficient and shared cost model of the exchange helps organizations identify and prioritize risk, in the most cost-effective way.