Vendor Risk Management

Identifying which vendors pose the greatest risk to your organization often proves to be a difficult and strenuous manual process.

Corporations can have hundreds if not thousands of vendors providing a myriad of different services for a multitude of different business units. SecureState can work with you at any stage in the Vendor Risk Management process, from identifying vendors through working with them to reduce the risks they bring to your organization.


Often, vendors can introduce new risks into an enterprise, and companies can unknowingly be assuming more risk than they are comfortable with. Working with SecureState will allow your company to gain an understanding of how much risk they wish to take on, and how to work with vendors to move to that level.


SecureState has worked with companies large and small to understand their acceptable levels of risk, and determine how working with their vendors can affect them. SecureState is a member of the Sharedshared_assessments_logo Assessment Program and uses the industry accepted Standard Information Gathering (SIG) Questionnaire as a framework to assess the maturity of an organization's existing security controls while highlighting gaps pertinent to critical business processes. Our matrix approach allows us to apply technical validation of all responses from a variety of security experts.

Approach and Methodology

SecureState's Vendor Management Process methodology is a holistic approach to the evaluation of the Vendor Management Lifecycle (VML) as organizations strive to move away from vendor execution and focus on operational and strategic management. SecureState reviews all areas of the VML and maps your organization’s current state back to industry best practices.


SecureState starts this phase of the lifecycle by assessing an organization’s ability to:

  • Identify the need and business objectives for a third party relationship and determine technology and processes to meet requirements
  • Assign ownership and roles & responsibilities for the delegated owner
  • Develop RFP requirements, selection criteria, and timelines


The Selection Phase focuses on the organization’s processes and procedures to:

  • Assess the risk of the vendor to the organization based on the type of data being stored, processed, or transmitted across an organization’s ecosystem
  • Review IT, privacy, resiliency and data security controls of a potential third party vendor prior to engaging in a binding contract
  • Validate evidence of controls and recovery procedures of an organization’s data
  • SecureState offers a secure Vendor Risk Management Portal (VRMP) to gather and evaluate potential vendor control maturity


SecureState reviews the organization’s contractual obligations to:

  • Develop and review legally binding contracts to ensure liability and SLA requirements to the organization are properly outlined and defined
  • Define Key Performance Indicators and ensure security metrics from due diligence risk review are incorporated in contract language


The Monitoring Phase of the lifecycle focuses on access and relationship management after the organization has entered into a binding contract. SecureState reviews the organization’s ability to:

  • Provision, manage, and audit third party access to the network and company data
  • Monitor KPI’s and security measures outlined during the contract phase
  • Reassess the vendor’s adherence to information security and regulatory requirements
  • Identify, monitor, and assess the performance of subcontractors, and their impact on an organization’s operational and reputational risks
  • SecureState's VRMP can be leveraged to monitor existing third party vendors' data handling procedures and security practices


While many third party relationships are renewed and continued past the original contract period, the termination phase of the VML:

  • Clearly defines the organization’s ability to voluntarily or involuntarily end a relationship
  • Defines a transition plan for offboarding a current vendor and data migration strategies for future initiatives
  • Enforces contractual SLA requirements
Get Started!