Vendor risk management (VRM) is a broad category that encompasses all measures that your organization can take to prevent data breaches and ensure business continuity. Legal issues, past performance, and creditworthiness are some of the common VRM issues that all companies review frequently. Additionally, cybersecurity and the reduction of third-party security risks are increasingly important.
An efficient vendor risk management audit process ensures that your vendor assessment process stays current, protects sensitive information, and improves your organization's risk management process.
For organizations to truly be protected they must audit and continuously monitor not only their third-party relationships, but also the standards, regulations, and best practices they use as the foundation of their third-party risk management framework.
What are the Steps in a Vendor Management Audit?
Any successful audit begins with establishing an audit trail. This includes the third-party risk assessment framework and the operating model, living documents that guide the process, as well as categorize vendors based on a security risk assessment that uses an approved methodology.
Next, organizations must supply vendor report reviews that prove ongoing governance throughout the vendor lifecycle.
What Should the Third-Party Risk Assessment Framework and Methodology Documentation Contain?
Before you can assess a third-party vendor or establish your operating model, you need to develop a third-party risk assessment framework and methodology that categorizes vendors based on predetermined inputs.
Your choice of third-party risk management framework should be based on your regulatory requirements, acceptable level of risk, use of third-parties, business processes, joint ventures, compliance requirements, and overall enterprise risk management strategy. It will likely take into account the desires of senior management and the Board of Directors.
What Does an Organization Need as Part of its Operating Model Documentation?
The operating model refers to the policies, procedures, processes, and people you have in place to guide your vendor management processes. Many organizations, consistent with regulatory expectations, organize their operating model into three lines of defense (LOD):
- The business line, which generates, owns, and controls the risk.
- The support functions, which provide oversight to the first line, and include the risk disciplines of operational risk and compliance among others.
- The internal audit, whose remit is derived from the board to process-audit the first and second lines of defense
These lines (and the documents that outline their functions) act as the foundation fo any third-party risk management program. Here is a list of checks you can use to assess the maturity of your operating model and documentation.
Risk Assessment Policy
🔲 Has a structured way of assessing information value
🔲 Has documented and established risk assessment methodology (qualitative, quantitative or a combination)
🔲 Identifies and prioritizes assets
🔲 Identifies common threats
🔲 Identifies vulnerabilities
🔲 Has a consistent and non-bias way to assess vendors such as a security ratings tool
🔲 Analyzes existing and where necessary, implements new controls
🔲 Calculates the likelihood and impact of various scenarios on a per-year basis
🔲 Prioritizes risks based on the cost of prevention vs information value
🔲 Documents results in a risk assessment report
Vendor Management Policy
🔲 Vendors are categorized by risk
🔲 Assesses and establishes minimum requirements for human resources security
🔲 Assesses and establishes minimum requirements for physical and environmental security
🔲 Assesses and establishes minimum requirements for network security
🔲 Assesses and establishes minimum requirements for data security
🔲 Assesses and establishes minimum requirements for access control
🔲 Assesses and establishes minimum requirements for IT acquisition and maintenance
🔲 Requires vendors to document their vendor risk management program
🔲 Outlines vendor's incident response plan requirements
🔲 Defines the vendor's business continuity and disaster recovery responsibilities
🔲 Sets out vendor compliance requirements
🔲 Outlines acceptable vendor controls
🔲 Sets out minimum vendor review requirements (e.g. SOC 2, site visits, and auditing requirements)
Vendor Management Procedures
🔲 Has workflow to engage in vendor management review
🔲 Designates a stakeholder to track vendors, relationships, subsidiaries, documents, and contacts
🔲 Has someone who is responsible for vendor due diligence
🔲 Uses software to deliver and collect vendor risk assessments such as UpGuard Vendor Risk
🔲 Has a documented process to coordinate legal, procurement, compliance, and the rest of the business when onboarding, working with, and offboarding a vendor
🔲 Has metrics and reports used to assess the performance of a vendor
What Documentation Supports Vendor Report Reviews and Ongoing Governance?
Vendor report reviews are an important part of ongoing governance. This can come in the form of continuous security monitoring or manual review of documentation that attests to security. Here are a few checks you can use to understand your vendor report maturity:
🔲 Reviews audit reports like SOC 2 and ISO
🔲 Reviews security questionnaires
🔲 Reviews financial reports
🔲 Reviews financial controls policy
🔲 Reviews operational controls policy
🔲 Reviews compliance controls policy
🔲 Reviews access control policy
🔲 Reviews change management policy
Note these reviews should be on a regulator basis to ensure changes do not go unnoticed.
What is Vendor Lifecycle Management?
Vendor lifecycle management is a cradle-to-grave approach to managing vendors in a consistent way. Vendor lifecycle management places an organization's vendors at the heart of the procurement process by recognizing their importance and integrating them into the procurement strategy.
Any good vendor risk management program starts with adequate due diligence on all third-party vendors and service providers. This can be done with a combination of continuous security monitoring and attack surface management tools that can automatically assess the externally observable information security controls used by existing and new vendors.
Once this initial stage has been completed, any high-risk vendors should be sent a vendor risk assessment to complete that can assess their internal security controls, regulatory compliance, and information security policies.
In general, modern vendor lifecycle management involves five stages:
- Qualification: This first phase starts with the process of need identification and solicitation. This can involve simply searching the web or be a complicated RFP process where potential vendors are informed about your organization's need to acquire a specific good or service.
- Engagement: Once a vendor has been selected, they undergo a vendor onboarding process where both you and the vendor are onboarded.
- Information security management: This stretches from the initial contact of a potential vendor through to the delivery of the good or service and to the end of the vendor relationship. Information security isn't traditionally part of vendor risk management. However, the risk of security breaches has increased which has led to its inclusion. This stage is different to the other stages as the controls that protect customer data and sensitive data need to continually evolve as threats change.
- Delivery: This is where the vendor delivers the good or service and also includes vendor performance management which can reduce reputational risk and improve disaster recovery.
- Termination: This stage is straightforward for a low-value vendor. However, if it is a high-value vendor, offboarding can be anything but simple. To ensure vendors are offboarded properly, you need to ensure all contractual obligations are fulfilled and any sensitive data has been handed over or destroyed.
Before diving into vendor lifecycle management, you need to plan out your supplier relationship management process from beginning to end. This will aid in future audits as you'll be able to find any vendor risk management policies, procedures, and processes that address each step in the lifecycle.
We've compiled a list of possible checks you can use that can play a role in the procurement process and aid decision making. Not every item is necessary, but the more you complete, the more you'll be able to mitigate risk.
With that said, due diligence processes will vary by company, industry, and region. Some regulations such as HIPAA dictate specific due diligence practices and some industries have adopted standardized processes. Additionally, requirements can be different based on the type of vendor being assessed.
Vendor Qualification Checklist
Collecting this information ensures that the company is legitimate and licensed to do business in your sector. You'll also want to collect information on key people for use in further risk assessments.
🔲 Have articles of incorporation (or corporate charter)
🔲 Have a business license
🔲 Provided company structure overview
🔲 Provided biographical information of senior management and Board members
🔲 Located in a country that is within our acceptable risk level
🔲 Provided proof of location via photographs, on-site visit, or video conference
🔲 Provided references from credible sources
🔲 Obtained insurance documentation
After assessing that the business is legitimate, you'll want to asses whether the vendor is financially solvent and paying taxes. There's no point using a vendor due to close up shop in the next month. Conversely, strong growth in a vendor could forecast increased prices later.
🔲 Obtained tax documents
🔲 Reviewed balance sheet and financial statements
🔲 Understand credit risk and other liabilities
🔲 Reviewed major assets
🔲 Understand compensation structure, staff training, and licensing
Vendor Engagement Checklist
Now that you've assessed that the vendor is a legitimate business who is financially solvent, it's important to understand they are on any watchlist, have negative news, or could pose a danger to your organization. This is important because vendors often have access to sensitive information or systems. Corruption or political weaknesses can be dangerous and a security incident at a vendor can affect your organization too.
🔲 Vendor is not on any watch lists, global sanctions lists, or lists published by regulators
🔲 Key personnel have been checked against politically exposed persons (PEP) lists and law enforcement lists
🔲 Risk-related internal policies and procedures have been reviewed
🔲 Reviewed reports from agencies like Consumer Financial Protection Bureau
🔲 Reviewed vendor's and key personnel's litigation history
🔲 No negative news reports or acceptable level of negative news
🔲 Acceptable amount of negative reviews and complaints on sites like G2 Crowd and Gartner
Now that you've assessed that the vendor is suitable from a political and operational risk perspective, you should assess whether the business has appropriate business continuity planning in place. You want to know whether the vendor is exposed to operational risks that could negatively impact your organization. This could be downtime for a SaaS provider or key personnel turnover for a services business.
🔲 Vendor has an incident response plan
🔲 Vendor has a disaster recovery plan
🔲 Vendor has adequate business continuity planning
🔲 Employee turnover rates are acceptable
🔲 No pending or past employee lawsuits or other indicators of toxic culture
🔲 Acceptable amount of negative employee reviews on Glassdoor
🔲 Vendor has a code of conduct in place
Finally, it's time to assess the quality of the contract itself.
🔲 Contract has defined terms and timeframes
🔲 Contract includes a statement of work
🔲 Contract includes delivery dates
🔲 Contract includes a payment schedule
🔲 Contract includes information security requirements
🔲 Contract includes supply chain and outsourcing information security requirements
🔲 Contract includes termination or renewal information
🔲 Contract includes a clause to be able to terminate contract when security requirements are not met
Vendor Information Security Management Checklist
Data breaches often originate from third-party vendors. Not only are they frequent, but they are also increasingly costly. The average cost of a data breach involving a third-party is now close to $4.29 million globally.
🔲 Vendor has a security rating that meets our expectations
🔲 Vendor security rating has been benchmarked against their industry
🔲 Vendor has invested in data protection and information security controls
🔲 Vendor is willing to complete a risk assessment checklist
🔲 Vendor has provided an IT system outline
🔲 Penetration testing results for the vendor are acceptable
🔲 Visited vendor's site to assess physical security
🔲 Vendor does not have a history of data breaches
🔲 Vendor employees do routine cybersecurity awareness training
🔲 Vendor doesn't introduce an unacceptable level of cyber risk
Vendor Services Delivery Checklist
Once you've come to terms with the information security management requirements, it's time to monitor how the vendor is delivering the services (or goods) that you paid for.
🔲 Deliverables are scheduled
🔲 Receivables are scheduled
🔲 Senior management understands who is responsible for working with the vendor
🔲 Security team accepts any physical access requirements
🔲 Security team accepts system access requirements
🔲 Invoice schedule is established
🔲 Payment mechanism is established
Vendor Termination Checklist
Finally, the last part of the vendor management lifecycle is to understand how to offboard the vendor. This stage can range from simple to incredibly complex, depending on how intertwined your business is with the vendor. To ensure you offboard vendors properly, ensure that you develop a robust checklist. Here are some checks that you can use.
🔲 Physical access has been revoked
🔲 System access has been revoked
🔲 Contractual obligations have been fulfilled
🔲 Sensitive data has been handed over or destroyed
How UpGuard Can Enhance Your Vendor Risk Management Program
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.