How to Assess Third-Party Vendors and Mitigate Security Risks
Establishing partnerships, outsourcing, or purchasing different products from multiple third-party vendors frequently involve risks. Several other third parties such as regulatory bodies, government agencies or strategic consultants can also pose grave risks. These risks may result in reputational damage, fines imposed by regulatory compliance requirements, legal liability, business interruptions, and so forth.
Whether you buy products from a wholesaler to run your business, for human resources to provide administrative functions, medical care to support healthcare services for your employees, or integrate your systems with a third-party vendor, sensitive or confidential data that is the heart of your business can easily be on the verge of being compromised.
According to the Bomgar Vendor Vulnerability Index 2016, “35% of data breaches result from third-party vendor access” (see Figure 1 below).
An analysis of recent high-profile data breaches divulged that malicious insiders first penetrated the victim’s network through a trusted channel of his third-party vendor. In the aftermath of a successful attack, the adversaries pretended to be a legitimate vendor to achieve their malicious agendas or leveraged the weaknesses of a legitimate vendor to exploit another company.
Another study—2017 Vendor Risk Management Benchmark Study discovered that 71% of insurance companies, including healthcare providers, said they would change their higher-risk relationships over the next twelve (12) months whereas 48% respondents said it had become crucial from a regulatory and risk standpoint to analyze a vendor’s contractors. Unfortunately, shrinking budgets force organizations to cut costs by outsourcing critical business tasks and systems which contain sensitive information.
What is Vendor Risk Management?
Vendor security represents a significant part of the risk management process but, unfortunately, it’s often steered clear of. To mitigate vendor risks at an acceptable level, an effective and efficient Vendor Risk Management (VRM) Program must be utilized.
According to Gartner, “VRM is the process of ensuring that the use of IT suppliers and service providers doesn’t have a negative impact on business performance or create an unacceptable potential for business disruption. VRM ensures that enterprises analyze, monitor, and manage their risk exposure from the third-party vendors that offer services and IT products, or that have access to corporate’s critical information.”
A fundamental step of VRM is the Vendor Risk Classification.
How to Perform a Vendor Risk Classification
Performing a vendor risk classification involves three (3) critical elements:
- Develop Inventory
- Classify Risk of Each Vendor
- Determine the Type of Assessment
1. Develop Inventory
The first step involves the creation of the vendor’s inventory. Developing an inventory will help you to know who your vendors are and what type of data they are allowed to access. The creation of an effective inventory involves five further steps, including:
- Review Existing Inventories
- Review Contracts
- Analyze Accounts Payable
- Develop Business Questionnaire
- Conduct Meetings
2. Classify Risk of Each Vendor
Your company might have a relationship with several vendors that could pose multiple risks. Each vendor can have a specific type of risk and, therefore, you must categorize each vendor’s potential risks to know what actions are needed to remediate these risks, depending on the criticality of the vendor and the type of the risk. The risk profile of each vendor can be defined through the process of risk identification and integration, risk classification and analysis, control evaluation, and risk reporting and treatment.
Types of risks that vendors can cause to your company:
- Strategic risks
- Industrial risks
- Reputational risks
- Geographical risks
- Credit risks
- Transactional risks
- Operational risks
- Compliance risks
In addition to the risk type, you can also classify risk in two ways—either according to the relationship you have with the vendor or to the data it handles. When dealing with third-party vendors, it is imperative to clarify how data will be stored and how it will be handled during and after the relationship to avoid potential damage inflicted to your company.
As per the NAVEX Global 2016 Third-Party Risk Management Benchmark Report, “in 2016, only 22% of U.S. organizations monitored all of their third-party relationships”.
For example, TigerSwan’s former recruiting vendor left thousands of files with sensitive information of American citizens on an unsecured Amazon server, even though the contract with the third-party vendor had been terminated in February 2017.
Types of third-party relationships:
- Infrastructure Only—In this type of relationship, the vendor provides only main infrastructure, such as servers and network devices.
- Managed Applications—With this type of relationship, the vendor gains some control over the installation, maintenance, and support of the applications.
- All Data—This relationship involves vendor control over both infrastructure and applications. The vendor can also perform disaster recovery such as backup and data recovery features.
3. Determine the Type of Assessment
Risk assessments allow your enterprise to measure the level of risk involved in your relationship with a third-party vendor.
Once the risk is identified, your company can either remediate the situation or terminate the relationship with the vendor. There are typically 3 types of risk assessments that companies perform to pinpoint potential issues before they occur:
- On-site Assessment—This usually consists of interviews and document review. On-site assessments are the most resource demanding. The list of questions for interviews is built based on standards like NIST Special Publication 800-53 or ISO 27001.
- Off-site Assessment—This is also referred to as a desktop review. Off-site assessments involve interviews and limited document review.
- Self-Assessment—In this type of assessment, a third-party vendor responds to a questionnaire. It is the least resource demanding.
How to Assess Vendors
Assessing vendors involves a number of steps that your company must follow to get rid of potential problems in the future. Your company can have a “Vendor Security Assessor (VSA)” who will engage the vendor for assessment. The VSA must know the process to schedule an assessment and the time required for assessing the vendor. The VSA should also be mindful of the escalation process if the vendor is reluctant to cooperate.
Essential steps for assessing vendors:
- Create Questionnaires and Checklists—The first phase involves the creation and maintenance of questionnaires and checklists. The checklists are organized in predefined hierarchies so that particular sections and sub-sections can be assigned to multiple vendors. Besides, these checklists and questionnaires can be used to conduct a full vendor audit. On the other hand, specific checklists and questionnaires can also be used for a focused vendor audit. This depends on the scope of a risk assessment.
- Coordinate Assessment with the Vendor—Once questionnaires and checklists have been created, your company needs to coordinate assessments with each vendor you are dealing with.
- Review Questionnaire Responses—Follow up on questions and request additional information if required. Identify gaps and look for recommendations.
- Conduct Onsite/Phone Assessment—Establish an assessment plan that focuses on the due diligence efforts on essential areas. Seek for “red flags” that may uncover potential problems within the environment of your vendor.
- Questionnaire to Vendor—Create another questionnaire from a vendor perspective. Start with the question: Are you ISO 27001 certified? Other questions can be about finance, operations, and security.
- Vendor Completes and Returns Questionnaire—The vendor needs to answer each question in the questionnaire and return it to the partnering company.
- Identify Issues—Document all issues and gaps and then discover how to remediate them.
How to Manage Issues
Managing issues is the last step whereby your company documents issues and develops actionable solutions to remediate these issues.
Typically, this involves four steps:
- Verify and Finalize Issues with Vendor—During the questionnaire phase, your company will be able to discover various issues with the vendor. The company needs to identify gaps so that subsequent measures can be taken immediately.
- Vendor Provides Remediation Plan—The vendor must provide a remediation plan for the identified issues.
- Track Issues—Discuss techniques that can be used to track issues, escalate them, and what to look out for.
- Close Issues—Once all the issues are resolved, they should be closed once and for all.
When managing the issues, you should be able to answer the following questions:
- Where will issues be stored?
- What tools will be used to track issues?
- How does your company effectively create management reports?
- What is the allowed and appropriate timeframe for a vendor to deal with high, medium, and low-risk issues?
- What should be the process to follow up on issue status?
- What should be the process to close the issue?
- What should be the risk acceptance process?
How to Select and Manage Vendors
In an ever-changing competitive industry, the selection of the vendor/product depends not only on quality and cost but also on numerous risks involved in the relationship. Enterprises should establish a thorough process to vet vendors prior to their selection. Then, vendor security and privacy controls should be actively monitored to mitigate the risks created by third-party relationships.
Steps of an effective vendor selection and management program:
- Identify Your Vendor Network—In most organizations, complete vendor inventories are either out of date or don’t even exist. Smaller companies do not have as much control over higher risks as larger companies may have. You must audit third-party contracts that might have been signed at a departmental level rather than via a usual centralized contracting channel and centralized review. Doing so helps you recognize the risks that your third-party contracts may bring.
- Establish a Risk Profile of all Vendors—In the wake of a complete custodian inventory, you need to develop risk criteria and conduct a risk assessment through surveys, on-site visit, and questionnaires. You should also be aware of a vendor’s financial stability and security controls.
- Deal with high-risk Vendors First—Once high-risk vendors are identified, you must mitigate these risks by working with the vendors in question. Doing so requires you to utilize digital rights management and data protection techniques.
- Develop Ongoing Monitoring Process—You must periodically use questionnaires, surveys, and audits to assess the vendor’s compliance requirements and security controls.
If not properly evaluated and managed, third-party vendors can entail considerable risks to partnering organizations. Each vendor can have a different type of risk such as strategic risk, compliance risk, operational risk and so on. Overlooking these risks can expose enterprises to a data breach or compliance issues. Therefore, corporations must take proactive measures into consideration when establishing partnerships or outsourcing services to third-party vendors. These measures include the use of Vendor Risk Classification, Vendors Assessment, and Issues Management. In addition, the process of effective vendor selection and management is also indispensable. Doing so can assist enterprises to prevent data breaches and minimize risks caused by third-party vendors.