SIMPLIFYING VENDOR RISK ASSESSMENTS, PART I: Designing Your VRA Roadmap
Written by: Black Kite
Cybercriminals have averted from high-value targets, and are now honed in on those organizations with weaker cyber postures that still fall under the same supply chain ecosystem. As a result, organizations are reinventing their approach to third-party risk management (TPRM), and vendor security assessments have become top-of-mind.
Creating a successful roadmap for vendor risk assessments (VRAs) requires a step-by-step preparation plan thoughtfully designed to identify the necessary resources and skills. The personnel and manpower available and tasks they’re assigned are just as critical to successful preparation as adopting an asset-focused mindset. To help streamline the process, we’ve broken the roadmap down into digestible steps.
1. Start with domain specifics and analyze the vendor
Creating a roadmap for vendor security assessments requires full-scope domain expertise— from technical details all the way up to regulations. Asset-aware mindsets are as beneficial to vendor risk management as they are to individual enterprise risk management. Evaluation the value of each vendor is an integral part of the process.
Are you exchanging protected health information (PHI), or financially sensitive data? Is there any information surrounding intellectual property that you’re passing along to vendors? As cybercriminals continue to target supply chains, it’s important that you’re just as diligent about supplier risk as you are managing risk internally.
When it comes to vendors, there may never be a one-size-fits all solution. Instead, evaluate assets at stake, or data shared with each vendor, and use that to determine the criticality of the vendor. Prioritize efforts by considering what the vendor means to your business, or whether the risk that comes from that vendor can be tolerated no matter what.
2. Identify the goal of the vendor security assessment
The goal of the assessment is key to creating the VSA blueprint. It could be compliance-oriented, which would require the definition and adoption of frameworks such as PCI-DSS, CMMC, GDPR and more. On the other hand, it could be tailored to the needs of the business, requiring a customized approach.
Use as many resources as possible during this stage. When step-by-step guidance documents aren’t available, consider referring to industry best practices. Historical assessment reports are another valuable asset when it comes to VSA preparation.
3. Determine the methodology
It is always best to use industry-specific methodologies and questionnaires in vendor risk assessments. If that’s not readily available, general scope questionnaires are a good starting point. Examples include those by Shared Assessments, the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS).
4. Allocate the appropriate resources
The team you work with is always of paramount importance, and is arguably as critical as designing the process itself. This is applicable both internally, and from vendor to vendor. The domain experts should be capable of asking the right questions and dive deep-down wherever necessary, and a transparent communication channel should always be maintained.
5. Minimize disruption
Now that you’ve created your VSA blueprint, you’re just about ready to start putting it into action. However, we wouldn’t be doing our jobs if we didn’t consider the obstacles that may come up along the way. By implementing automation wherever possible, organizations will not only streamline tedious processes, but also eliminate the room for human error that may cost you down the road.
** This is part one of a 2-blog series.
Discover what Black Kite offers for automating questionnaire and compliance correlation.
Learn more