Sage Advice - Cybersecurity Blog

Seven Steps to a Successful Vendor Risk Management Program

steps-to-successful-vendor-risk-managementIf you’re like most businesses, you have a variety of third-parties that you rely on to support your core business functions. And in many cases, they have the ability to connect to your network. By providing them remote access, you are effectively increasing your potential attack surface for cybercriminals to exploit. So what happens if their systems aren’t secure? They could inadvertently open up a door to your network and allow a bad guy to get in.

One of the best ways to mitigate cybersecurity risk posed by third-party vendors is to implement a Vendor Risk Management Program. Here are the steps you should take to build an effective program.

#1. Identify all your vendors / business associates and what they have access to.

Not sure how to create your vendor list?  Get some tips in our post, Vendor Management - Tips for Creating a Vendor List.

#2. Prioritize vendors based on risk.

  • Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.
  • High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.
  • Medium Risk: Vendors (1) whose access to customer information is limited; and / or (2) whose loss of services would be disruptive to your organization.
  • Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

Ensure access is based on legitimate business need. It’s best to follow the principal of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary (TechTarget).

#3. Vet all new vendors with due diligence.

  • Define your process, which can include:

    • Getting references;

    • Using a standard checklist;

    • Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.
  • Document and report to senior management.
  • Require your Critical and High Risk vendors to provide:

    • Evidence of security controls via contract and documentation. May include Information Security Policies, Business Continuity Program, Disaster Recovery test results, list of recent breaches, proof of insurance, financial statements, etc.

    • Evidence that security controls are effective. May include SOC1 / SOC2 reports, synopsis of vulnerability scanning and / or independent penetration testing, compliance reports, etc. Learn more in our blog post Assessing Vendor Cyber Readiness: What to Look for in a SOC Report.

    • Evidence that they can continue to provide contracted services in the event of a disaster.

    • Evidence that they have a strong Incident Management Program and will duly report incidents to you as required by law, regulations, and best practice.
  • Ensure the vendor is cooperative. For example:

    • Your requests should be expected.

    • If they balk or cannot provide the requested information, consider an alternative.

    • Verbal assurance does not suffice.

#4. Review all Business Associate Agreements (BAA) and contracts on a regular basis.

  • All Critical and High Risk vendors should undergo a full due diligence review annually.
  • All Medium Risk vendors should undergo a due diligence review applicable to the risk every two years. Note: Some industries and regulators will require you to perform reviews on medium risk vendors annually.
  • All other vendors, including Low Risk vendors, should undergo an annual survey.

#5. Ensure all contracts are reviewed with legal counsel.

For new and renewal contracts for your Critical and High Risk vendors be sure to include:

  • Requirements to keep system and data secure per best practices and industry standards;

  • Confidentiality and privacy requirements;

  • Requirements to notify you of security breaches, incidents, and vulnerabilities;

  • Requirements to undergo independent penetration tests and vulnerability assessments; and

  • Requirements to provide you access to audit documents.

Learn more about contracts in our blog post, Managing Vendor Cybersecurity Risk: What to Do Before You Sign.

#6. Have a backup plan.

If your vendor fails to provide the contracted services, you need to be able to quickly pivot to another vendor, especially if they are providing you with a critical service. Be sure you know who else is in the field and is able to provide the same services.

#7. Continuously review.

Just like everything in security, vendor management is a continuous process. We won’t ever reach a point where we can shout, “Hurrah! We’re finally 100% secure!” It's constant. Constant vigilance and constantly being aware of what is happening on your network, and of course, that also means what is happening on your vendor’s network.

 Cybersecurity Risk Assessment & Analysis

Topics: Vendor Management


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More