Vendor risk management is a recommended activity that has been stressed for almost ten years in the financial industry. The FDIC released a financial institution letter in 2008 to help teach banks how to properly manage the additional risk of outsourcing part of their processing to external vendors. Since 2008, it has become very clear in non-financial industries that vendor risk management is a must for all organizations who outsource any services dealing with sensitive or confidential information. The security of regulated information and critical availability of services within those vendors is more important today than ever.

Where to Start

Managing the security of information that your vendors have access to or receive from your organization is critical to a good risk management program. Many organizations ask, “where do I start?” First, your organization needs to decide which vendors it considers critical. A critical vendor has two things.

• Does the vendor have access to or receive critical or regulated information from your organization?
• Is the availability of the vendor or the services they provide mission-critical to your organization?

When you think of a critical vendor, think of how much trouble your organization would be in if the information you allowed that vendor to have access to get out into the public space. Think about how much business disruption would be caused if that vendor suddenly went away. Would your entire organization cease to operate, or could you still function in some capacity? It's a great exercise for your organization to sit down with various groups and departments throughout the organization to come up with a vendor list and then decide which vendors are critical based on those two factors.

What to Look For

Once you have your list of critical vendors, you can proceed to collect additional information from them and notify them of their status with your organization. The number of vendors considered to be mission critical should be limited. The majority of organizations will have five (5) to ten (10) critical vendors that would cause the entire organization to stop all its operations.

You’ll want to be able to pull the following information together for each critical vendor and perform a thorough review.

• Product/Service Description
• General Contract and Service Level Agreement Review
• Financial Review – some companies may not disclose this item
• Information Security Analysis – addressed below
• Contract Term and Termination Review
• Physical Security Review
• Software Security Review
• Vendor Customer Data Access
• Performance Review
• Proper Liability Insurance Coverage

Next, you're going to want to notify these organizations that they are one of your critical vendors. Describe what a critical vendor means to your organization in a formal letter and ask for additional assurances regarding security practices. Those additional assurances should include at least one of the following:

• A SOC report – also known as an SSAE 18 report (formerly SSAE16, and before that, SAS 70)
• An independent Information Security or Technology Audit
• A security assessment questionnaire created by your organization and signed and notarized by your vendor’s organization as an attestation
• If your organization has the capability, obtain their permission to audit them and send your auditor to your vendor’s organization to perform a security audit. Additionally, you can hire a third party like SBS CyberSecurity to audit your critical vendors on your behalf with your vendors’ permission. That is a handy option, and it can be “sold” to the vendor on the basis that they will receive the results and essentially get a free security audit at your organization’s expense.

A review of this documentation will help assure that the vendors are in line with what your organization looks for when protecting your information. Business continuity, incident response, incident detection, and various other protection mechanisms are valuable components in this documentation. Once your organization receives these assurances from your vendor, document them and make sure you have a reminder in place to update them annually.

How to Mature Vendor Risk Management

After your organization has become comfortable with vendor risk management, it is good practice to mature the process. Maturing the process in practice is quite easy. Adding the following categories will help your organization further specify and define critical vendors and show their relevance to other departments in your organization. Like the process of Business Continuity Planning, Vendor Risk Management becomes a company-wide focus at this point.

Operational Risk: The risk of business operations being negatively affected due to issues relating to the vendor or third party. Examples might include unavailability or loss of a vendor, data breach, or the vendor not meeting performance expectations.

Ratings

1. Little or no impact to the organization; business operations continue without interruption.
2. Slight impact to the organization; business operations may be slightly affected for a short period of time.
3. Moderate impact to the organization; business operations may be moderately affected for a period of time.
4. Severe impact to the organization; business operations are seriously affected for a significant period of time.
5. Devastating impact to the organization; business operations halt and cannot continue for a significant period of time.

Resource Risk: The number of resources from the organization that would be required to restore or recover business operations resulting from issues relating to the vendor or third party. Examples might include unavailability or loss of a vendor, data breach, or the vendor not meeting performance expectations. 

Ratings

1. Little or no impact to the organization; no organization resources are required to restore business operations.
2. Slight impact to the organization; minor organization resources are required to restore business operations.
3. Moderate impact to the organization; moderate organization resources are required to restore business operations.
4. Severe impact to the organization; significant organization resources are required to restore business operations.
5. Devastating impact to the organization; vast organization resources are required to restore business operations.

Financial Risk: Potential financial losses resulting from issues relating to the vendor or third party. Examples might include unavailability or loss of a vendor, data breach, or the vendor not meeting performance expectations.

Ratings

1. Little or no impact to the organization; no financial losses are incurred.
2. Slight impact to the organization; slight financial losses are incurred.
3. Moderate impact to the organization; moderate financial losses are incurred.
4. Severe impact to the organization; significant financial losses are incurred.
5. Devastating impact to the organization; immense financial losses are incurred.

Reputational Risk: Potential reputational losses resulting from issues relating to the vendor or third party. Examples might include unavailability or loss of a vendor, data breach, or the vendor not meeting performance expectations.

Ratings

1. Little or no impact to the organization; no reputational issues result from complications with the vendor.
2. Slight impact to the organization; minor reputational issues result from complications with the vendor.
3. Moderate impact to the organization; moderate reputational issues result from complications with the vendor.
4. Severe impact to the organization; significant reputational issues result from complications with the vendor.
5. Devastating impact to the organization; immense reputational issues result from complications with the vendor.

Regulatory Risk: Also known as Legal or Compliance risk, potential regulatory issues may arise from an organization's failure to enact appropriate policies, procedures, or controls to ensure it conforms to laws, regulations, contractual arrangements, and other legally binding agreements and requirements. Examples might include unavailability or loss of a vendor, data breach, or the vendor not meeting performance expectations.

Ratings

1. Little or no impact to the organization; no regulatory issues result from complications with the vendor.
2. Slight impact to the organization; regulatory issues resulting from complications with the vendor may lead to poor examination results.
3. Moderate impact to the organization; regulatory issues resulting from complications with the vendor may lead to poor examination results and/or fines to the organization.
4. Severe impact to the organization; regulatory issues resulting from complications with the vendor may lead to poor examination results requiring follow-up from examiners and/or significant fines to the organization.
5. Devastating impact to the organization; regulatory issues resulting from complications with the vendor may lead to closure of the organization.

Once your various departments have reviewed vendor contracts and service level agreements, and the organization has formed its opinion on the security controls at that vendor organization, they can make their determinations on the risk ratings. For purposes of the IT Committee or management group facilitating vendor management as it matures in your organization, a composite score can be created by either taking the sum of all the risk ratings or averaging them, whichever makes more sense for the IT committee’s purposes. The composite score can give top level management a quick overall view of the risk level of the vendor so they can assess it with their enterprise risk management efforts.

If your organization is outsourcing information or information services, a simple vendor risk management program is the place to start. When the decision is made to outsource these services, it’s very important to remember that your responsibility to protect your customer information does not go away. It merely changes from making sure that confidential information within your premises is secure to making sure confidential information stored elsewhere is secure. Organizations that understand this concept and the concept of mature vendor risk management will be more successful in reducing the overall risk to their outsourced information resources.

Written by: Buzz Hillstead

Senior Information Security Consultant - SBS CyberSecurity

SBS Resources:

• {CyberByte Video} Vendor Documentation Gathering
• {Hacker Hour} Five Pitfalls of Vendor Management
• {Services} Vendor Management
• {Services} IT Audit

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.