Use Vendor Risk Management Templates to Establish a Baseline
Level the Vendor Risk Playing Field With Templates
Two facts have radically transformed vendor risk management and the need for template use in just the past few years:
- There’s increased awareness that vendors are often the weak links that allow data breaches to occur;
- Federal regulators are increasingly vocal about the need for aggressive and thorough vendor risk management which has left a lot of companies stymied about their next steps.
“We want a level playing field in assessing vendors,” said the CIO at a large East coast credit union. His institution, which heavily depends on third party vendors for its technology solutions, wants to ally only with the highest-rated vendors, the ones who add the lowest risk to the equation, as a matter of policy.
But the question is: How to level that playing field, in a time efficient and fair way, so that the best vendors are chosen? Templates and questionnaires are needed.
Understand, first, many companies continue to lag when it comes to third party assessments. Some, according to multiple security consultants, still do not ask to see even basic reporting, such as standardized penetration testing.
“I can count on one hand the clients who have asked to see our test results,” said a Maryland security consultant, who asked for anonymity to spare his client’s embarrassment.
But, little by little, that indifference is evaporating. A big factor is that templates, based on frameworks such as the ISO/IEC 2700 family of standards, the OCC guidelines, and others, are playing an ever bigger role in vendor risk management.
There are two obvious pluses to templates. First, they speed up the assessment process. There is no need to reinvent the vendor risk wheel. For the executive who complains that he or she does not have the time to do proper assessments, templates are the answer. Secondly, templates truly help ensure that every vendor is held to the same set of standards and frameworks.
Face Regulatory Compliance Head On
The right template can be crafted to assure compliance with regulatory requirements.
“Templates provide a standardized method for completing supplier risk assessments to ensure compliance,” said Craig Nelson, a Managing Director at Alsbridge, a global consulting firm.
A well-crafted template, usually provided by an experienced third party risk assessment expert, helps provide assurance that the assessment is in fact on target and thorough. The key question is: Are you collecting the right data about this vendor? With a template, the answer should be an unequivocal yes.
A well-constructed template also digs into key issues, such as:
- How old is the technology used by this vendor (one still using Windows XP probably will be downgraded unless there are extenuating circumstances)?
- Have all programs had all key patches applied?
These are simple, straightforward concerns, but the answers really do matter. In many cases, this part of the assessment readily lends itself to automation
Do you trust a vendor running XP on all its systems, browsing with an unpatched Internet Explorer 7, and who has not applied an Adobe or Java patch in three years?
Tip for SecurityScorecard Customers: Type in a website address into the platform to retrieve detailed security-risk information instantly, without intruding on a vendor’s system.
Get the Vendor Risk Answers You Need
A template also does not overlook important issues in the crush of business. For instance, it might be easy to shrug off questions about how your vendors handles their vendors, but a good template will insist on answers. A template keeps us on course, and that is why they have become indispensable in most vendor risk management approaches.
Is a template the final answer? No. A template provides a running head start. It also establishes the baseline for going forward, so all vendors are judged by roughly the same set of criteria.
But, understand, a template is still only a baseline. A Word template for writing a screenplay will not guarantee an Oscar for your mantle. An Excel template for an expense report does not guarantee the document will be accepted by your bosses on one hand or the IRS on the other.
To raise the confidence about the level of security afforded by templates there has to be serious thought about using any template along with a determination to honestly portray the facts of the situation. A template does not do your thinking for you or provide your research. It just points where to look for answers.