A formal, written vendor or third-party risk management policy is the first step in developing your vendor risk management program, and essential to that program’s success.
Vendor risk management encompasses third-party risks as well as that of your vendors’ vendors — fourth-party risks — and is an important component of any cybersecurity program.
A vendor risk management policy spells out the identified risks your organization faces in its use of third-party vendors, and the controls in place to minimize those risks. Think of it as a sort of road map to the success of your third-party risk management program.
Having a vendor management program is more important today than ever before. The digital age has brought about a dramatic increase in third-party vendor relationships. One survey, by the Audit Committee Leadership Network, found that two-thirds of respondents had more than 5,000 third-party relationships; some, the report states, have many more. One enterprise reported using 28,000 vendors!
Vendor management is a risky business, indeed. Every third-party vendor, supplier, contractor, service provider, and customer with whom your entity works brings potential data breaches, providing another portal through which hackers could strike. In addition to an information security risk, third parties bring other potential risks: legal, compliance, and reputational.
Creating a written vendor management policy is the first step toward reducing that risk. It helps to ensure that your risk management program is applied consistently to all third-party vendors from onboarding through termination and that those vendors handle your sensitive data in compliance with regulations, standards, and your own privacy and information security policies.
Along with your policy, you’ll also need third-party risk management procedures outlining the roles and responsibilities of all involved in your vendor risk management program including those of senior management, your business lines, and, where applicable, the vendors themselves.
Setting up a Vendor Risk Management Policy
Every vendor management policy will differ, but the steps to create one will be essentially the same:
- List all third-party vendors associated with your enterprise—and include their third-party vendors.
- Conduct a risk assessment to identify the risks your business might incur from using those third parties.
- Score and classify each vendor’s risk according to whether or not they have access to your sensitive information and to your network. Consolidate your rankings in a central database for easy access.
- Establish your vendor risk management procedures. Your policy should address at a high level:
- Conducting “due diligence” of vendors: what questions do you ask?
- Service Level Agreements: What do these contain?
- Vendor compliance with regulatory and industry frameworks: Which do you require?
- Vendor controls: What’s acceptable? Required?
- Breach liability: Who’s to blame if there’s an information security breach?
- Breach procedures: What’s your plan if a vendor experiences a disruption or failure in services?
- Vendor review: Which certifications do you want to see, and how do you audit your vendors?
- Termination of contracts
- Oversight required from the board and senior management
- Monitoring of third-party vendors: How do you ensure that vendors continue to meet your requirements and comply with ever-changing regulations?
Your third-party risk management policy should be reviewed and updated regularly to ensure that it, and your enterprise, can adapt to changing circumstances and situations.
Where to find help
Conducting a vendor risk management program is a big job, with lots of moving parts. Just creating, sending out, tracking, and logging the answers to vendor surveys can be enough to make a risk or compliance officer’s head spin—especially if you’re using spreadsheets to organize everything.
Fortunately, there’s a tool for that. ZenGRC, governance, risk, and compliance software-as-a-service, automates the vendor risk management process with user-friendly compliance checklists and dashboards showing which third parties are in compliance and which are not—as well as where the gaps are located and how to fill them.
Zen sends out your vendor surveys so you don’t have to, and collects and collates the results. It can also help you rank and rate third parties according to their level of risk, and continuously monitor for changes in their compliance and risk posture as well as in regulatory requirements.
Freed from these mundane, time-consuming tasks, you’ll be able to turn your focus to more pressing matters—such as protecting your systems and data from unauthorized access and use.
Contact Reciprocity today for your free consultation, and start on the Zen path to vendor risk management.