In today’s world of interconnected corporations, outsourced business units and cloud services, the walls around valuable corporate assets have become increasingly blurred. It’s difficult to know exactly where your data assets sit within your own corporation, let alone within 3rd parties that you do business with daily! And each time a corporation is breached through an outsourced printer provider or document processing service, the regulators tighten the screws and expect stronger vetting of your vendors.
Because it’s generally neither feasible to avoid providing any 3rd parties withsensitive information, nor is it realistic to have your corporate security team manage the security operations of all your partners, some degree of trust is necessary. The level of trust is the billion dollar question that businesses have been trying to answer for decades.
Large corporations typically have hundreds if not thousands of other businesses providing a myriad of different services for a multitude of different business units. Identifying which ones pose a great amount of risk to your organization, and which ones are barely worth a second look often proves difficult. The typical approach involves some combination of the following:
1. An initial set of scoping questions is sent to determine the vendor’s potential risk, typically based on data and network access.
2. A spreadsheet full of more detailed questions is then sent to the vendor.
3. The vendor supplies their responses, and potentially a SAS70, SOC2, ISO 27001, or other document of their security program.
4. A small portion of these responses are then reviewed.
It typically becomes the job of one employee to manage an overwhelming amount of spreadsheets and responses in varying formats. Tracking who has gotten a questionnaire, who has responded, and if all questions got a response is an arduous enough task in and of itself. Actually analyzing the answers and trying to identify vendors which may pose a great risk is even more difficult!
Because Vendor Risk involves many repetitive tasks, SecureState has found that the process works best when large parts of it are automated. A tool like our Vendor Management portal can be used to centralize the data on all vendors and easily filter out the ones which pose the greatest potential risk. Because PCI, GLBA, HIPAA and other regulations mandate the management of 3rd party vendor risk, we can identify upfront entities that will be collecting data covered by each regulation, and provide simple reporting on vendors covered by each regulation. (Learn more about SecureState’s Vendor Management offering by clicking here)
Another difficulty with vendor risk is deciding the depths in which to go in validating the answers provided, and where to trust what’s given at face value. SecureState looks at three levels, each going deeper than the last:
2. Facilitated interviews
3. Interviews with validation
At the first level a vendor is simply given a list of questions to answer, and a security analyst analyzes their responses. At the second level an analyst conducts their own interviews with the vendor to determine what security program components are in place. Finally, with the third option, in addition to conducting interviews, a skilled penetration tester evaluates the vendor’s systems to confirm if security controls are indeed functioning as expected. Obviously the last option is the most resource-intensive…you don’t want to go to these depths with a vendor that simply provides your coffee. Conversely the questionnaire approach obviously doesn’t go that deep…this is likely not enough for the vendor you’ve just outsourced your payment processing to. The key to a well-functioning vendor management program is to quickly identify high and low risk vendors upfront with the right scoping questions, and to conduct the appropriate amount of assessment for each.
SecureState has been a pioneer in the vendor management space, working on the early BITS shared vendor assessment program, as well as developing the Virtual Compliance Officer program more than five years ago. Our team can help you to quickly identify where your vendor risk truly lies, and free up internal employees for more productive activities than maintaining the “Spreadsheet of Doom.”