Home » Articles » How to Develop a Vendor Risk Management Program

How to Develop a Vendor Risk Management Program

If you’re like most businesses, you have a variety of third-parties that you rely on to support your core business functions. And in many cases, they have the ability to connect to your network. By providing them remote access, you are effectively increasing your potential attack surface for cybercriminals to exploit. So what happens if their systems aren’t secure? They could inadvertently open up a door to your network and allow a cybercriminal to get in.

One of the best ways to mitigate cybersecurity risk posed by third-party vendors is to implement a Vendor Risk Management Program. Here are the steps you should take to build an effective program.

Identify all your vendors, business associates and what they have access to, then prioritize vendors based on risk:

Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.

  • High Risk: Vendors who have access to customer data and have a high risk of information loss; and / or upon whom your organization is highly dependent operationally.
  • Medium Risk: Vendors whose access to customer information is limited; and / or whose loss of services would be disruptive to your organization.
  • Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

Ensure access is based on legitimate business need. It’s best to follow the principal of least privilege, which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under this principal, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary.

Vet all new vendors with due diligence

Define your process, which can include:

  • Getting references
  • Using a standard checklist
  • Documenting and reporting to senior management

Require your Critical and High Risk vendors to provide

  • Evidence of security controls via contract and documentation. May include Information Security Policies, Business Continuity Program, Disaster Recovery test results, list of recent breaches, proof of insurance, financial statements, etc.
  • Evidence that security controls are effective. May include SOC1 / SOC2 reports, synopsis of vulnerability scanning and or independent penetration testing, compliance reports, etc.
  • Evidence that they can continue to provide contracted services in the event of a disaster
  • Evidence that they have a strong Incident Management Program and will duly report incidents to you as required by law, regulations, and best practices
Ensure the vendor is cooperative

For example, your requests should be expected. If they balk or cannot provide the requested information, consider an alternative. Verbal assurance does not suffice.

Review all Business Associate Agreements and contracts on a regular basis

All Critical and High Risk vendors should undergo a full due diligence review annually. All Medium Risk vendors should undergo a due diligence review applicable to the risk every two years. Some industries and regulators will require you to perform reviews on medium risk vendors annually. All other vendors, including Low Risk vendors, should undergo an annual survey.

Ensure all contracts are reviewed with legal counsel

For new and renewal contracts for your Critical and High Risk vendors be sure to include:

  • Requirements to keep system and data secure per best practices and industry standards
  • Confidentiality and privacy requirements
  • Requirements to notify you of security breaches, incidents, and vulnerabilities
  • Requirements to undergo independent penetration tests and vulnerability assessments
  • Requirements to provide you access to audit documents
Have a backup plan

If your vendor fails to provide the contracted services, you need to be able to quickly pivot to another vendor, especially if they are providing you with a critical service. Be sure you know who else is in the field and is able to provide the same services.

Continuously review

Just like everything in security, vendor management is a continuous process. Constant vigilance and being aware of what is happening on your network, and of course, that also means what is happening on your vendor’s network.