Vendor risk management (also referred to as third-party risk management) is the process of identifying, monitoring, analyzing, and remediating risks and vulnerabilities created by your third-party vendors and service providers.
Why is vendor risk management (VRM) so important? It helps your organization identify and alleviate any negative impact that may affect your cybersecurity posture, customer data safeguards, regulatory compliance, and overall industry reputation. A robust VRM program ensures that you can minimize the impact of vendor security, reputational or any other adverse incidences on your own organization.
This discipline is not new to businesses that partner with vendors to perform a portion of outsourced work. It’s intended to limit risks and potential security or data breaches, which could have insurmountable consequences for any business.
The History of Vendor Risk Management
The origins of vendor risk management can be traced back to the financial industry, when the FDIC released the Financial Institution Letter 44-2008 in June 2008. This letter identified potential risks associated with using third-party vendors and offered guidance to financial institutions on the four elements that, at the time, made up an effective vendor risk management program:
- Risk assessment
- Due diligence in selecting a third party
- Contract structuring and review
Since 2008, other regulators within the financial industry have followed suit, as did other industries, including healthcare with the well-known Health Information Technology for Economic and Clinical Health Act (HITECH), which was introduced in 2009 to extend the rules of the Health Insurance Portability and Accountability Act (HIPAA) to third parties.
States, as well as other countries, have also joined the effort, implementing regulations focused on third-party risk management. For example, the EU’s General Data Protection Regulation (GDPR) is a strict data and security privacy law targeting businesses that collect data related to people in the EU.
How to Start a Vendor Risk Management Program
If you outsource work to other vendors, a comprehensive vendor risk management program is necessary to gain better visibility into your vendors and the security controls implemented within their own companies.
The structure and requirements of a vendor risk management program can vary widely based on company size, industry, applicable laws, types of vendors, and more. But most programs follow a core set of best practices.
The first step is to determine what is a third-party vendor. This term is used to describe any one person or business that provides products or services to your company but is not an employee. Examples include service providers, such as cleaners, accountants, lawyers, consultants, and contractors; suppliers, such as food and beverage delivery or office supply delivery; technology providers, such as cloud hosting, SaaS software vendors, and payment processing; or equipment maintenance personnel, such as HVAC or printer repair.
While this is not a comprehensive list, it does give you a clearer understanding of who a third-party vendor is. However, it doesn’t address fourth-party vendors, which are your vendors’ vendors. And even though you don’t have a relationship with these vendors, they can still pose a risk to your company.
Next, you’ll need to inventory your third-party vendors and assign a level of risk or security ranking to each one. Obviously, the supplier that delivers your coffee is a low-level risk, but the technology provider that manages your network is much higher since they can access your systems and data. This grading scale, which can be as simple as low, medium or high, is developed internally and is typically used to determine the next steps in your vendor risk management program.
For those vendors identified as “medium” or “high” risk, a thorough assessment of their internal policies and procedures must be completed. This is typically called a vendor risk assessment or questionnaire. Many businesses deliver this to their vendors in the form of a spreadsheet that must be manually completed. Once that spreadsheet is filled out, the requesting business must manually review the answers and determine if they want to do business with this vendor. This process is extremely time-consuming, which is why there are numerous automated security assessment platforms on the market today.
It’s best to draw up a formal vendor risk management policy document once you have your program in place. This document should detail those individuals responsible for vendor risk management, the process, timeline, and vendors included in your program, plus each vendor’s security ranking.
Performing this type of due diligence can go a long way to lessen the likelihood of a third-party breach if done properly and often. However, one simple change in a vendor’s security policy can have a dramatic ripple effect in your business. Which is why many companies are taking vendor risk management to the next level and including attack surface management in their programs.
Attack Surface Management
Attack surface management, or ASM, is a form of continuous monitoring that takes a company’s vendor risk management program a step further. When a vendor security assessment is completed by one of your vendors, this document is an accurate picture of the vendor’s security posture at that point in time. But things change. Employees quit. Policies get updated. And within days, weeks or months, that vendor’s risk assessment can quickly get outdated, putting your company at risk.
ASM fills this security gap by continuously monitoring online threats in your own network environment. Every one of your internet-facing assets—including websites, IP addresses, and applications—are vulnerable to hackers. ASM cross-checks against known threats and alerts your security team whenever a potential threat is suspected. ASM runs in the background, 24-7, without impacting your network, but always watching for unauthorized activity.
See it in Action
See exactly how a hacker views the gaps in your environment with a 15-minute demo of ThreatScape, ProcessBolt’s ASM tool and part of the ProcessBolt vendor risk management platform. Sign up for a demo today.