Assisted Vendor Risk Management
Organizations of all sizes collaborate with services providers & vendors to meet their Business, IT & Security goals. This enables them to scale quickly with lower overheads etc. Thus, reducing costs & creating an efficient business.
The last 2 years have proved that Data is the new oil and adversaries leave no stone unturned when it comes to deriving this information. A recent trend showcases that adversaries have started to target service providers & vendors due to their privileged access to data associated with various organizations.
Recent statistics highlight that nearly two-thirds of security breaches originate from third parties. For example, in the Target breach, the attack was enabled by an email phishing attack on an HVAC contractor. An employee of the contractor clicked a malicious link which ultimately led to the compromise of millions of credit cards.
Hence, this is a new threat vector that needs to be addressed to ensure secure operations. Hence, establishing a robust and sustainable vendor management program is the need of the hour.
Vendor Risk Management is the process of evaluating vendors prior & during the contract for potential risks that an organization faces when transmitting or, storing their sensitive data.
Contact Our Expert
The five essential elements of a robust vendor risk program are as follows:
- Drafting of a Vendor Risk Policy & Procedure
- Drafting of a Vendor Risk Questionnaire
- Vendor Inventory & Profiles with types & levels of data access
- Type of data shared
- Whether only transmitted, processed or, stored
- Employees & vendors with access to the data
- Destroying/deletion of data
- Framework for securing data – Policies & Procedures
- Acceptable compliance credentials like SOC 2, ISO 27001, etc.
- Right to Audit
Esha IT’s team of experts aid their clients to successfully setup & manage vendor risk programs. Thus, ensuring data security across the vendor ecosystem through their assisted vendor risk program.
The following steps comprise our assisted vendor risk program:
- List all vendors and prioritize them based on their type of data access & assess the security threat each poses to your organization
- Implement a security framework that maps to your organization. E.g.: SOC 2 if you’re a SaaS company or, HIPAA if you’re a health-oriented company
- Prepare a legal tender/contract outlining the relationship between your organization and the vendor
- Drafting of a vendor risk questionnaire & engaging all the vendor to fill the questionnaire along with a collection of evidence & review of current policies & procedures
- Conducting a periodic review to ensure the maintenance of security among your vendors
- Collect details of fourth-party vendors and perform an assessment of your vendor’s policies for its vendors
- Document risks & share with the vendors along with proposed mitigations & timelines