Professional Documents
Culture Documents
Checklist
Organizations conduct due diligence into the third-party's ecosystem and
security, but to truly protect themselves, they must audit and continuously
monitor their vendors. Not only do organizations audit their vendors, but
standards and regulations often require audits of the company's vendor
management program. Organizations need efficient vendor risk management
audit processes that allow for smooth audits of their vendor management
program.
Qualifying
__ Process for obtaining and determining insurance, bonding, and business
license documentation
__ Benchmarks for reviewing financial records and analyzing financial stability
__ Review process for staff training and licensing
__ Benchmarks for evaluating IT assets
Engagement
__ Contracts include a statement of work, delivery date, payment schedule,
and information security requirements
Information Security Management
__ Baseline identity access management within the vendor organization
__ Baseline privileged access management for the vendor
Managing Delivery
__ Scheduling deliverables
__ Scheduling receivables.
__ Organization defines stakeholders responsible for working with the vendor
__ Establishing physical access requirements
__ Defining system access requirements
Managing finances
__ Establish invoice schedule
__ Establish payment mechanism
Terminating Relationship
__ Revoking physical access
__ Revoking system access
__ Definitions of causes for contract/relationship termination
What should the risk assessment framework and
methodology documentation contain?
Before reviewing third-party vendors or establishing an operating model,
companies need to create a risk assessment framework and methodology for
categorizing their business partners. This process includes aligning business
objectives with vendor services and articulating the underlying logic to senior
management and the Board of Directors.
When auditors review risk assessments, they need documentation proving the
evaluative process as well as Board oversight. For example, organizations
choosing a software vendor for their quality management system need to
establish risk tolerances. As part of the risk assessment methodology, the
auditor will review the vendor categorization and concentration.
Risk Assessment
__ Does the organization risk rate its vendors?
__ Does the risk assessment discuss the methodology
(qualitative/quantitative/combination)
__ Are the vendors categorized by risk?
Vendor Risk Management Policy
__ Does it include human resources security?
__ Does it discuss physical and environmental security?
__ Does it establish baseline requirements for network and system security?
__ Does it establish baseline requirements for data security?
__ Does it establish baselines requirements for access control?
__ Does it establish baseline requirements for IT acquisition and
maintenance?
__ Does it require vendors to document their vendor management program?
__ Does it define the vendor's incident response management responsibilities?
__ Does it define the vendor's business continuity and disaster recovery
responsibilities?
__ Does it outline the vendor compliance requirements?
Procedures
__ Is there a workflow for engaging in vendor management review?
__ Does the organization designate a stakeholder to track vendors,
relationships, subsidiaries, documents, and contacts?
__ Does the organization designate a stakeholder responsible for vendor due
diligence?
__ Does the organization designate a stakeholder who delivers and collects
surveys and risk assessments?
__ Does the organization designate a stakeholder to manage contract review
and renewal?
__ Does the organization outline a process for coordinating with legal,
procurement, compliance, and other departments when hiring and managing a
vendor?
__ Does the organization outline metrics and reports needed to review
vendors?
First, as part of the risk assessment analysis, companies can use quantitative
benchmarks for reviewing vendors. Companies can document a vendor's
security rating, relate it to their risk tolerance, and use it as a qualitative metric
that links to both data controls and financial stability. Additionally, the easy-to-
digest grades of A through F ease the pain of explaining risks to the Board and
ensure proper oversight documentation.
Fourth, with SecurityScorecard, companies can define cohorts that allow them
to group vendors and track security rating changes within the groups. This
functionality provides documentation supporting the categorization and
classification of vendors when an auditor reviews a risk assessment
methodology.
Fifth, security ratings allow companies to verify reports and questionnaires that
vendors provide. For example, a SaaS vendor can submit a SOC 2 report
attesting to the effectiveness of their controls at the time of the report.
However, threats evolve, and controls fail. SecurityScorecard's ratings
incorporate network security, DNS health, patching cadence, endpoint
security, IP reputation, and web application security. Since our threat
reconnaissance capabilities continuously monitor the IT ecosystem, we update
our security ratings regularly. Tracking vendors in the platform, therefore,
allows organizations to verify the trust they place in their vendors.
Companies know how to manage their vendor risks. Documenting the supply
management process can be more difficult. With SecurityScorecard,
organizations can streamline both processes by documenting as they manage.