Part 2: Replace Point-In-Time Vendor Risk Assessments with Continuous Monitoring
In part 1 of our series, we showed you how to identify and tier vendor risks that are critical to you, allowing you to optimize assessment methods and properly manage vendor risk. Now, we’re going to show you how to continually assess your vendors so your organization is managing risk on an ongoing basis, rather than just through point-in-time assessments.
The information collected through point-in-time assessments is often outdated and doesn’t take into account changes in a vendor’s security posture between assessments. If the worst-case scenario is realized, a vendor is breached, you might not be aware until your vendor decides to alert you or until the next assessment. By that time, a hacker might have already entered your network.
In this dynamic environment where vulnerabilities are exploited faster than ever, being aware of your vendor’s security posture on an ongoing basis will give you the information and opportunity to react and mitigate potential issues. A PWC Third Party Risk Management report on the finance industry notes that 58% of respondents that monitor third parties on an ad hoc basis experienced a third party service disruption or data breach compared to only 37% of respondents that regularly monitor third parties.
Continuous, or ongoing, monitoring is increasingly becoming part of a recommended vendor risk management process. The OCC, which provides security frameworks and guidelines for the finance industry has included third-party continuous monitoring as part of an effective vendor risk management framework. But according to PWC’s The Global State of Information Security Survey 2016, only 52% of respondents have security baselines or standards in place for third parties.
Unfortunately, the current state of vendor risk management does not look good when it comes to third party monitoring. 93.5% of respondents in the 2016 Deloitte Study on Third Party Risk Management expressed moderate to low levels of confidence in their management and monitoring mechanisms.
These percentages indicate that the current state of vendor risk management (VRM) is increasingly and unnecessarily exposing themselves to higher risk, which can prove to be costly. The Ponemon’s 2016 US Cost of Data Breaches studied noted that the organizational cost of breaches, on average, are $7.01 million. Their measures include costs of investigation, incident responses, providing free services to employees such as identity theft monitoring, and the consequences of customer loss and churn.
In part 2 of our series, we’ll show you how to incorporate continuous third-party monitoring as part of your vendor risk management program by establishing a centralized VRM office, defining controls and processes to monitor, and collaboratively engage in tracking, reporting, and remediation processes with your vendor.
Step 1: Establish a Centralized VRM Office
Vendor risk management has an accountability problem. The Ponemon Institute surveyed over 17K IT and IT security practitioners and found a lack of consistency in the departments owning the vendor risk management process. The compliance department came first with only 23%, followed by security/information security (17%), legal (15%), and procurement (15%), with more departments rounding out the rest of the responses.
This lack of a standardized department owning vendor risk management coupled with the fact that only 17% of respondents say that their board of directors have significant involvement in overseeing risk management activities suggests a lack of focus, ownership, and commitment company-wide.
A VRM office is essential for establishing a foundation on which third party continuous monitoring can rely on as well as providing a localized department for all aspects of vendor risk management. As PWC states, a central VRM office is a “key ingredient to a successful [VRM] program, particularly as firms expand nationally and globally” and McKinsey’s Working Paper on Third Party Risk has deemed it as an essential element in excellent vendor risk management.
A centralized VRM office allows a singular team (whether cross-departmental or made up of one department) to communicate with vendors, establish standardized practices, track and report, take ownership and responsibility, and provide a point of contact for other business unit owners that have relationships with vendors. The central VRM office will make critical decisions, quickly inform business unit owners, and escalate priorities should any critical issues arise.
Establishing a VRM office begins with hiring an in-house VRM team or transitioning existing employees to move into a VRM position. The VRM office is a highly specialized department that functions beyond information security. Deloitte has an excellent guide and outlines ten pillars an effective VRM office should specialize in:
- Contract management
- Financial and Commercial Management
- Issue and Dispute Management
- Service Performance Management
- Multi-Service Provider Integration
- Transition and Transformation PMO and Oversight
- Document Management
- Service Request Management
- Risk Management and Third Party Compliance
This will be the most extensive and complicated step to take but it will reap huge benefits beyond continuous monitoring and make all aspects of VRM simpler and more efficient. After a central office is set up, you can start defining what you will be monitoring.
Step 2: Define Controls and Processes to Monitor and Establish Vendor Reporting Methods
Because continuous monitoring takes more resources than most VRM processes, optimizing the resources involved is crucial. You have to define what aspects of your vendor, whether data, assets, processes, or controls, you will be monitoring based on various criteria. These criteria include:
In a way similar to how we described in part 1 of our series, defining what is most risk-critical to your company will inform you on what you should be monitoring. If your third party is processing or storing sensitive information, then you should be monitoring the security controls or systems in place that protect your third party’s network and endpoints.
Likelihood of information/status change
Tier your risk-critical vendor services and systems by frequency of status change over time. If a vendor is hiring rapidly, that means the number of endpoints are increasing, so you should pay more attention to the endpoint security in place. However, a system that is likely to not change over a long period of time such as a hosting or CMS provider won’t need continuous monitoring.
Feasibility of monitoring
When you have a list of the vendor’s risk-critical controls, systems, and processes, assess the resources and time necessary to continuously monitor these elements. Basic security controls such as the use of two-factor authentication is important, but impossible to monitor among all your critical vendors. And if the length of time a monitoring process can take to procure the information is long, then monitoring should be left as part of an annual assessment.
Step 3: Establish communication, tracking, and reporting processes collaboratively with vendors.
Vendor collaboration and communication is key to successful ongoing monitoring. Your VRM office should clearly communicate with your vendors what will be monitored and tracked as an attempt to improve the security posture of all parties involved.
You should already be engaging in continuous monitoring for your own security through tools, solutions, and other processes. These same tools and processes can also be used to monitor any integrated systems that your vendors own. Even if you’re using tools that won’t alert your vendors, if any issues arises, then you have to reach out to them to begin remediation.
Only 27 percent of respondents from the ‘Tone at the Top’ Ponemon institute study say their assessments of third party controls are effective. And even fewer, 12%, have a formal process that is applied consistently. This is why having processes, standards, and goals will lead a VRM process to success.
To begin the continuous monitoring process, your central VRM office should begin implementing the following:
Monitoring and tracking is near-useless without incorporating any KPIs or specifying how any data change over time is relevant to security. Mark goals such as lowering average number of days passed between a patch being released and a patch being applied or the increasing frequency of open port scans. As time passes, you’ll be able to identify vendors who aren’t meeting your standards.
Your VRM office should begin monitoring and tracking your vendors using any existing technologies or tools in place and implementing any new processes developed with your vendor’s help. Work with your vendor to have them provide any information that is produced through their own monitoring efforts to save resources on your behalf.
The central VRM office should establish reporting methods for vendors and also relay them to the respective business unit owners. The VRM office is responsible for alerting both vendors and business unit owners of any potentially critical issues that arise in reports.
Engaging in Remediation
The foundational work performed in previous steps will help the VRM office more clearly identify issues and abnormalities. When any vendor security issues pop up, the VRM office should work in tandem with business unit owners in order to remediate issues.
Engaging in vendor continuous monitoring takes some effort but produces compounding results improving not only your vendor risk management but your own security posture as well.
Tips for SecurityScorecard Customers – Our platform was built with continuous monitoring in mind. Your VRM office can quickly load any number of vendors and begin tracking their security posture across a number of security categories. To communicate issues to vendors, you can share the ‘partnership’ report or invite them to the platform to view their SecurityScorecard.
Part 3: Looking into 4th Party Insight
In the next part of our series, we’ll show you how to take into account your vendor’s third parties, subcontractors, and partners. If your vendors represent a specific amount of risk to you, then their vendors should also be considered. This is important for understanding the security posture of a vendor when initially assessing a vendor and also when engaging in continuous monitoring in order to see if your vendors have recently started to work with a third-party vendor you have previously identified as risky.