Vendor risk management (VRM) is a broad category that encompasses all measures that your organization can take to prevent data breaches and ensure business continuity. Legal issues, past performance, and creditworthiness are some of the common VRM issues that all companies review frequently. Additionally, cybersecurity and the reduction of third-party security risks are increasingly important.
An efficient vendor risk management audit process ensures that your vendor assessment process stays current, protects sensitive information, and improves your organization's risk management process.
For organizations to truly be protected they must audit and continuously monitor not only their third-party relationships, but also the standards, regulations, and best practices they use as the foundation of their third-party risk management framework.
That's why we've put together this vendor risk management checklist to help you develop a robust vendor risk management program.
What are the steps in a vendor management audit?
Any successful audit begins with establishing an audit trail. This includes the third-party risk assessment framework and the operating model, living documents that guide the process, as well as categorize vendors based on a security risk assessment that uses an approved methodology.
Next, organizations must supply vendor report reviews that prove ongoing governance throughout the vendor lifecycle.
What should the third-party risk assessment framework and methodology documentation contain?
Before you can assess a third-party vendor or establish your operating model, you need to develop a third-party risk assessment framework and methodology that categorizes vendors based on predetermined inputs.
Your choice of third-party risk management framework should be based on your regulatory requirements, acceptable level of risk, use of third-parties, business processes, joint ventures, compliance requirements, and overall enterprise risk management strategy. It will likely take into account the desires of senior management and the Board of Directors.
What does an organization need as part of its operating model documentation?
The operating model refers to the policies, procedures, processes, and people you have in place to guide your vendor management processes. Many organizations, consistent with regulatory expectations, organize their operating model into three lines of defense (LOD):
- The business line, which generates, owns, and controls the risk.
- The support functions, which provide oversight to the first line, and include the risk disciplines of operational risk and compliance among others.
- The internal audit, whose remit is derived from the board to process-audit the first and second lines of defense
These lines (and the documents that outline their functions) act as the foundation fo any third-party risk management program. Here is a list of checks you can use to assess the maturity of your operating model and documentation.
Risk assessment policy
__ Has a structured way of assessing information value
__ Has documented and established risk assessment methodology (qualitative, quantitative or a combination)
__ Identifies and prioritizes assets
__ Identifies common threats
__ Identifies vulnerabilities
__ Has a consistent and non-bias way to assess vendors such as a security ratings tool
__ Analyzes existing and where necessary, implements new controls
__ Calculates the likelihood and impact of various scenarios on a per-year basis
__ Prioritizes risks based on the cost of prevention vs information value
__ Documents results in a risk assessment report
__ Uses a well-established security questionnaire
Vendor management policy
__ Vendors are categorized by risk
__ Assesses and establishes minimum requirements for human resources security
__ Assesses and establishes minimum requirements for physical and environmental security
__ Assesses and establishes minimum requirements for network security
__ Assesses and establishes minimum requirements for data security
__ Assesses and establishes minimum requirements for access control
__ Assesses and establishes minimum requirements for IT acquisition and maintenance
__ Requires vendors to document their vendor risk management program
__ Outlines vendor's incident response plan requirements
__ Defines the vendor's business continuity and disaster recovery responsibilities
__ Sets out vendor compliance requirements
__ Outlines acceptable vendor controls
__ Sets out minimum vendor review requirements (e.g. SOC 2, site visits, and auditing requirements)
Vendor management procedures
__ Has workflow to engage in vendor management review
__ Designates a stakeholder to track vendors, relationships, subsidiaries, documents, and contacts
__ Has someone who is responsible for vendor due diligence
__ Uses software to deliver and collect vendor risk assessments such as UpGuard Vendor Risk
__ Has a documented process to coordinate legal, procurement, compliance, and the rest of the business when onboarding, working with, and offboarding a vendor
__ Has metrics and reports used to assess the performance of a vendor
What documentation supports vendor report reviews and ongoing governance?
Vendor report reviews are an important part of ongoing governance. This can come in the form of continuous security monitoring or manual review of documentation that attests to security. Here are a few checks you can use to understand your vendor report maturity:
__ Reviews audit reports like SOC 2 and ISO
__ Reviews security questionnaires
__ Reviews financial reports
__ Reviews financial controls policy
__ Reviews operational controls policy
__ Reviews compliance controls policy
__ Reviews access control policy
__ Reviews change management policy
Note these reviews should be on a regulator basis to ensure changes do not go unnoticed.
What is vendor lifecycle management?
Vendor lifecycle management is a cradle-to-grave approach to managing vendors in a consistent way. Vendor lifecycle management places an organization's vendors at the heart of the procurement process by recognizing their importance and integrating them into the procurement strategy.
Any good vendor risk management program starts with adequate due diligence on all third-party vendors and service providers. This can be done with a combination of continuous security monitoring and attack surface management tools that can automatically assess the externally observable information security controls used by existing and new vendors.
Once this initial stage has been completed, any high-risk vendors should be sent a vendor risk assessment to complete that can assess their internal security controls, regulatory compliance, and information security policies.
In general, modern vendor lifecycle management involves five stages:
- Qualification: This first phase starts with the process of need identification and solicitation. This can involve simply searching the web or be a complicated RFP process where potential vendors are informed about your organization's need to acquire a specific good or service.
- Engagement: Once a vendor has been selected, they undergo a vendor onboarding process where both you and the vendor are onboarded.
- Information security management: This stretches from the initial contact of a potential vendor through to the delivery of the good or service and to the end of the vendor relationship. Information security isn't traditionally part of vendor risk management. However, the risk of security breaches has increased which has led to its inclusion. This stage is different to the other stages as the controls that protect customer data and sensitive data need to continually evolve as threats change.
- Delivery: This is where the vendor delivers the good or service and also includes vendor performance management which can reduce reputational risk and improve disaster recovery.
- Termination: This stage is straightforward for a low-value vendor. However, if it is a high-value vendor, offboarding can be anything but simple. To ensure vendors are offboarded properly, you need to ensure all contractual obligations are fulfilled and any sensitive data has been handed over or destroyed.
Before diving into vendor lifecycle management, you need to plan out your supplier relationship management process from beginning to end. This will aid in future audits as you'll be able to find any vendor risk management policies, procedures, and processes that address each step in the lifecycle.
We've compiled a list of possible checks you can use that can play a role in the procurement process and aid decision making. Not every item is necessary, but the more you complete, the more you'll be able to mitigate risk.
With that said, due diligence processes will vary by company, industry, and region. Some regulations such as HIPAA dictate specific due diligence practices and some industries have adopted standardized processes. Additionally, requirements can be different based on the type of vendor being assessed.
Vendor qualification checklist
Collecting this information ensures that the company is legitimate and licensed to do business in your sector. You'll also want to collect information on key people for use in further risk assessments.
__ Have articles of incorporation (or corporate charter)
__ Have a business license
__ Provided company structure overview
__ Provided biographical information of senior management and Board members
__ Located in a country that is within our acceptable risk level
__ Provided proof of location via photographs, on-site visit, or video conference
__ Provided references from credible sources
__ Obtained insurance documentation
After assessing that the business is legitimate, you'll want to asses whether the vendor is financially solvent and paying taxes. There's no point using a vendor due to close up shop in the next month. Conversely, strong growth in a vendor could forecast increased prices later.
__ Obtained tax documents
__ Reviewed balance sheet and financial statements
__ Understand credit risk and other liabilities
__ Reviewed major assets
__ Understand compensation structure, staff training, and licensing
Vendor engagement checklist
Now that you've assessed that the vendor is a legitimate business who is financially solvent, it's important to understand they are on any watchlist, have negative news, or could pose a danger to your organization. This is important because vendors often have access to sensitive information or systems. Corruption or political weaknesses can be dangerous and a security incident at a vendor can affect your organization too.
__ Vendor is not on any watch lists, global sanctions lists, or lists published by regulators
__ Key personnel have been checked against politically exposed persons (PEP) lists and law enforcement lists
__ Risk-related internal policies and procedures have been reviewed
__ Reviewed reports from agencies like Consumer Financial Protection Bureau
__ Reviewed vendor's and key personnel's litigation history
__ No negative news reports or acceptable level of negative news
__ Acceptable amount of negative reviews and complaints on sites like G2 Crowd and Gartner
Now that you've assessed that the vendor is suitable from a political and operational risk perspective, you should assess whether the business has appropriate business continuity planning in place. You want to know whether the vendor is exposed to operational risks that could negatively impact your organization. This could be downtime for a SaaS provider or key personnel turnover for a services business.
__ Vendor has an incident response plan
__ Vendor has a disaster recovery plan
__ Vendor has adequate business continuity planning
__ Employee turnover rates are acceptable
__ No pending or past employee lawsuits or other indicators of toxic culture
__ Acceptable amount of negative employee reviews on Glassdoor
__ Vendor has a code of conduct in place
Finally, it's time to assess the quality of the contract itself.
__ Contract has defined terms and timeframes
__ Contract includes a statement of work
__ Contract includes delivery dates
__ Contract includes a payment schedule
__ Contract includes information security requirements
__ Contract includes supply chain and outsourcing information security requirements
__ Contract includes termination or renewal information
__ Contract includes a clause to be able to terminate contract when security requirements are not met
Vendor information security management checklist
Data breaches often originate from third-party vendors. Not only are they frequent, but they are also increasingly costly. The average cost of a data breach involving a third-party is now close to $4.29 million globally.
__ Vendor has a security rating that meets our expectations
__ Vendor security rating has been benchmarked against their industry
__ Vendor has invested in data protection and information security controls
__ Vendor is willing to complete a risk assessment checklist
__ Vendor has provided an IT system outline
__ Penetration testing results for the vendor are acceptable
__ Visited vendor's site to assess physical security
__ Vendor does not have a history of data breaches
__ Vendor employees do routine cybersecurity awareness training
__ Vendor doesn't introduce an unacceptable level of cyber risk
Vendor services delivery checklist
Once you've come to terms with the information security management requirements, it's time to monitor how the vendor is delivering the services (or goods) that you paid for.
__ Deliverables are scheduled
__ Receivables are scheduled
__ Senior management understands who is responsible for working with the vendor
__ Security team accepts any physical access requirements
__ Security team accepts system access requirements
__ Invoice schedule is established
__ Payment mechanism is established
Vendor termination checklist
Finally, the last part of the vendor management lifecycle is to understand how to offboard the vendor. This stage can range from simple to incredibly complex, depending on how intertwined your business is with the vendor. To ensure you offboard vendors properly, ensure that you develop a robust checklist. Here are some checks that you can use.
__ Physical access has been revoked
__ System access has been revoked
__ Contractual obligations have been fulfilled
__ Sensitive data has been handed over or destroyed
How UpGuard can enhance your vendor risk management program
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.