One of the most challenging parts of building a vendor cyber risk management program is figuring out how to create your assessment. Missing a critical control or policy status in your assessment process could invite regulatory scrutiny, lawsuits or worse if you have a third-party data breach. If you build a lengthy assessment, though, you could create a different type of business risk as you slow down the ability of your organization to quickly utilize these third parties. This may create friction between stakeholders and diminish the effectiveness of this process from a cyber security perspective.
How do you build the right assessment that is both thorough and efficient? How do you ensure that business lines understand the reasons why you may be delaying the use of a vendor or service provider that they have already done extensive due diligence on and solution matching for? These questions and many others can be resolved by making a few crucial decisions:
- Who is in scope? After identifying your vendors, you should establish what their risk to your organization is. To start defining this risk, you could look at the level or type of information and access they have. While all vendors should be included in assessments, as relationships can change overnight, it is important to scope the depth of your assessments based on the risk the vendors currently represent.
- What are you focusing on? What risks are you trying to resolve? Are you “rightsizing” the focus of your assessment to the levels and types of risk you need to address? An example of not rightsizing is focusing much of the assessment process on how the vendor secures their physical facilities when their only access to your organization’s data is via an approved portal that requires a strong password. While it may be important that they lock their doors at night, it is more important that they have a policy that requires strong passwords and forbids password reuse.
- What form will this assessment take? The form of the assessment can have a real impact. Exchanging content over email or unsecured online forms can open new risks or create delays as vendors hesitate to share information via these channels. Further, spreadsheets may be simple to create and send (and even encrypt), but they can quickly become cumbersome as you add more questions and more vendors.
- Will you need evidence? On a recent project, it was identified that while the client required its subsidiaries to attest that they implemented certain specific controls, in an organization-wide assessment, it was discovered that over 90% failed to perform at least one of the controls they attested too. Requiring some form of evidence is important to ensure the accuracy of the assessment, but keep in mind that this can further delay the process as vendors are often reluctant to share sensitive data about their security posture such as policy, configuration and reports. Further, do you have the resources to collect and analyze this evidence securely?
Once you have thought through the above questions, the form and function of the assessment will become more apparent. With this clarity, you can engage other stakeholders in refining the assessment and ensuring that it helps you understand risk and performs that function in a manner that different business units can understand and appreciate.