You need to keep track of requests you send out, chase up vendors who haven't answered, and ensure that when they do they answer in a timely and accurate manner. Along with vendor risk assessment questionnaires, organizations need a standardized information gathering process that accurately assesses the external security posture of vendors against industry standards, security policies, and established security practices.
Any robust third-party risk management program must have established processes and guidelines that include the process of onboarding vendors, gathering data, reviewing answers, and requesting remediation.
The good news is that there is software that can streamline the process. UpGuard Vendor Risk can help you monitor your vendors' external security posture in real-time, automate security assessments, and prioritize and remediate risks.
Without a clear assessment process, CISOs and vendor risk management teams become burdened with constant emails and multiple spreadsheets that are used to collect, analyze, and remediate issues across the supply chain.
And as you know, when teams become overrun in operational complexity, due diligence falls to the wayside, high-risk vendors are ignored, and the effectiveness of your security program is diminished.
To assist you in developing your vendor risk assessment processes, we've put together a list of five best practices for conducting third-party risk assessment questionnaires and vendor management.
Understand your third-party vendor portfolio
Before you can start sending vendor assessments, you need to have an accurate inventory of all your third-party relationships. Without one, it's near impossible to accurately measure the level of cyber risk your vendors introduce.
It's important to understand that security incidents involving vendors can lead to significant data breaches, even if they don't handle sensitive data. As we saw with Target, even a non-technical vendor like an HVAC provider can lead to the exposure of more than 110 million consumers' credit card and personal data.
Keep in mind, vendors don't necessarily have to have the same information security measures in place as you do. You just need to be comfortable that they have adequate data security and data protection controls in place.
A good starting point is to invest in an automated security monitoring tool, like UpGuard Vendor Risk, which can keep track of and continuously monitor your third and fourth-party vendors' critical security controls. These tools can not only help you communicate with vendors, but they can also help scale your vendor risk management program by helping you determine which vendors pose the most risk via automated, always up-to-date security ratings.
Find a vendor questionnaire template that works for you
Once you have an inventory of your vendors, you need to decide on the type of vendor risk management questionnaire you'll use. This could be one of the top vendor assessment questionnaires or a custom one.
Standardized questionnaires are great if you need to comply with regulations like GDPR, LGPD, CCPA, etc, or specific industry trends such as ISO 27001 and NIST SP 800-171. However, some organizations need deeper TPRM insights and develop custom questionnaires.
The issue with custom questionnaires is they can be tricky to get completed as vendors often want to leverage past questionnaires to answer questionnaires.
Regardless of what questionnaire you use, you should be aware that vendors have to fill out questionnaires a lot. Think about investing in a tool that makes it easy for vendors to manage their responses.
If you're not sure where to start, popular vendor risk assessment templates include:
- CIS Critical Security Controls (CIS First 5 / CIS Top 20): The CIS Controls for Effective Cyber Defense is a prioritized set of actions that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. The CIS Controls map to many major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series, and regulations such as PCI-DSS, HIPAA, NERC CIP, and FISMA.
- Consensus Assessments Initiative Questionnaire (CAIQ): The Consensus Assessments Initiative Questionnaire (CAIQ) is a security assessment provided by the Cloud Security Alliance (CSA), a leading organization dedicated to defining and raising awareness of secure cloud computing best practices. The CAIQ helps cloud consumers and auditors assess the information security capabilities of data centers and cloud providers.
- Higher Education Community Vendor Assessment Tool (HECVAT / HECVAT Lite): The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that generalizes higher education information security and data protection questions, as well as issues regarding cloud services for consistency and ease of use.
- ISO 27001 Questionnaire: ISO/IEC 27001 is one of the most well-known and well-used information security standards and is part of the ISO/IEC 27000 family of standards. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- NIST SP 800–171:NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) provides federal agencies with a set of guidelines designed to ensure that Controlled Unclassified Information (CUI) remains confidential, available, and unchanged in nonfederal systems and organizations. By complying with NIST SP 800-171, you will also meet the majority of the criteria for NIST SP 800-53, and compliance with NIST SP 800-53 is a major part of FISMA and FedRAMP compliance.
- Standardized Information Gathering Questionnaire (SIG / SIG-Lite): The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains.SIG was developed by Shared Assessments and is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security, and business continuity.
- VSA Questionnaire (VSA): The Vendor Security Alliance (VSA) questionnaire was created by a coalition of companies committed to improving Internet security. Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
- Payment Card Industry Data Security Standards (PCI DSS) Questionnaire: The Payment Card Industry Data Security Standards (PCI-DSS) is an information security and data security standard for organizations that handle branded credit cards from the major card schemes.
Keep track of what you send out
In the past, it was easy for questionnaires to get lost in the back and forth volley between inboxes or simply misplace completed Excel files. That's why it's important to develop a centralized system where you can continuously monitor and review the progress vendors are making on questionnaires.
Good vendor risk management software will provide vendors with a simple way to get in contact with your team about any concerns, as well as to provide additional evidence or proof of their security controls.
In addition, we recommend setting a clear deadline and an automated follow up so that you and the vendor know exactly what to expect and when.
Use technology to streamline processes
Risk assessment questionnaires aren't new. You've likely been sending out questionnaires by email and managing multiple excel spreadsheets to check for answers. However, technology like UpGuard Vendor Risk can help you scale up your processes by allowing computers to keep track of things for you.
A good tool will give you and your third-party vendors:
- A way to provide answers, evidence, and ask any questions they may have in a centralized environment
- A way to delegate answers to new people in the organization, so the correct person can answer each question
- A way to remediate and discuss issues, review evidence, and ask for additional information or proof of specific questions, e.g. what access control policies do you have in place?
The better the usability of the tool, the more time you can spend remediating risks with vendors rather than focusing on the nitty-gritty of data collection.
Trust but verify
Just because you've received a completed security questionnaire doesn't mean your work is done. The next step is to verify and validate that what they say is true. While you won't be able to do this for internal security controls, there are a bunch of externally-visible data points you verify.
UpGuard's automated scanning and security ratings check for:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
How UpGuard can help with third-party risk management
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
For the assessment of your vendors' information security controls, UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For self-assessment UpGuard BreachSight can monitor your organization for 70+ security controls by providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.