Vendor Risk Control
Vendor management is at its heart a means of accounting for and controlling third-party (and even fourth-party) risks to your organization. I’ll be using the shorthand TPRM for third-party risk management throughout this article. Third-party risk has become a very important topic as it goes to the core of many data breaches out there. Dating back to 2014, Target suffered a massive data breach because an HVAC vendor didn’t have their security program together. More recently, Okta’s breaches this year affected their customers and severely hurt their reputation.
Starting a TPRM Program
Step zero for setting up a TPRM program is to do a risk assessment of your own organization. Focus in on what are your company’s valuable assets worth protecting. For a healthcare company it might be access to patient records, for a financial company it could be access to the money itself, for an R&D firm it could be access to the research pipeline, etc. All of this feeds into what matters most to you and how you can grade your potential vendors based on risk and what risk mitigation controls would be necessary to onboard particular vendors.
The next step in starting up this program is obviously to gather an accurate list of just who your vendors are. It seems like this might be as easy as going to accounting and asking who is sending you invoices, but it most definitely is not. Sometimes personnel will sign up for services on their own (referred to as shadow IT) and completely bypass the accounts payable department. For these you can use tools like Nudge or BetterCloud to discover SaaS tools you don’t know your coworkers are using. A side benefit to those discovery tools is that they can save you money by showing you which tools are over licensed because fewer people than you thought use them.
Throughout this process, be sure to involve all possible stakeholders. Use something like the DACI or RACI frameworks to identify who needs to be involved in vendor management. It can go well beyond security and finance depending on your company. Many companies involve legal to ensure the company is sufficiently protected, some involve a compliance team to do OFAC checks on vendors, and others might involve a technical team if the vendor requires some sort of implementation. Whoever you involve, make sure that the process is transparent and fair. An easy way to sabotage good will towards your nascent program is to appear to play favorites for approving vendors.
How do you measure the risk?
You cannot properly address vendor risk without first measuring it. Some metrics are common across all companies, but many metrics and questions will be particular to your company and your industry. The easiest way to evaluate the risk of a vendor is by reviewing their certified audit reports against frameworks like SOC2, ISO27001, PCI-DSS, and others. While these frameworks are by no means a guarantee that the vendor is low risk, it can give you some assurance that the vendor understands the gravity of information security risk and give you the assurance that an independent body reviewed their controls.
Another side of third-party risk involves how you intend to use the vendor. Imagine a vendor like DropBox. If you are only using them to store marketing materials, their risk is low. However, if you were to store millions of documents containing sensitive customer data there (note: please don’t do that, there are better ways), that same vendor grows into a much larger risk. It is important to ask the person requesting the vendor how they intend to use the vendor now and in the future. Ask questions like:
What data will be stored with that vendor? How much of that data do you expect to store there over the next few years?
If this vendor were to have an outage, how would it impact the organization? How long of an outage could we withstand and how much of our data could they lose?
Are there alternatives we could use? Are there existing vendors who could fill the same need?
Do they have a reputation for resiliency and security? Are they willing to share their policies for continuity and the test results proving their capabilities?
Who in the company will have access to this vendor and what level of access will they have?
These questions are just the start of a long list of questions you could ask about each potential vendor. Be careful to not bombard each requestor with a million questions though, that is not a good way to win allies for your new program. Instead, first ask for the implementation and usage documents for the vendor (usually in the form of some project documents) and see if the answers to your questions are in there. If they aren’t, use this as an opportunity to work with the requestor to write more thorough project documents.
You can supplement the information you are getting with tools like SecurityScorecard to automatically gather risk related data. Take the output from these tools with a grain of salt though. The information provided may not be 100% accurate due to their automated nature and other information may be irrelevant to your evaluation. For example, the tool may identify issues with encryption on a company’s website but if that encryption is just on a company’s marketing page that might not be an issue. Use tools like these as a bellwether to highlight a collection of risks as a larger problem.
All these risk calculations should feed into a risk tier system for your vendors. These risk tiers can help to short circuit some of the assessment steps. If the vendor is something as simple as a conference room your renting, you can put them in a low-risk tier and skip many of the steps. On the other end though, you need to have gating requirements that won’t let a vendor go below a certain tier. For example, if the loss of service for your infrastructure provider would devastate your business, then they should be in the highest risk tier you have. These tiers also feed in how often you need to re-evaluate each vendor.
Fourth-Party Risk
Over the last few years, it has become increasingly apparent that vendor risks go well beyond the companies you have a contract with. To pick on Okta again, their breach in January was due to one of their vendors. This ended up negatively affecting 366 Okta customers. Every company in the modern age is really an agglomeration of vendors. Its turtles all the way down. Managing this risk is difficult for anyone who isn’t a Fortune 500 company because companies are reluctant to share who their vendors are. Adding fourth-party risk to your vendor management program can be a daunting task so it is easiest to just look at your riskiest and most critical third parties. Out of those third parties, look at how their most critical vendors are. You may even find out that some of their vendors are also your own vendors making the whole process much easier.
When evaluating your own vendors, prioritize those who are transparent about fourth-party risk. Vendors with good risk and security programs should have nothing to hide. If they show reluctance to hand over copies, work to find a potential compromise like audit reports showing that an independent body has evaluated their third-party risk program. You could also do a teleconference with your vendor so they can show you their processes and data without handing over actual copies of anything.
Continuous Monitoring
Just like everything else in information security, third-party risks are never static. Everything about a vendor can change rapidly from how your organization uses the vendor to how their product evolves to how the threat landscape evolves around you. It is crucial that you re-evaluate your vendors regularly based of their risk tier. The frequency of these evaluations depends on your organization’s risk appetite, but I suggest no less frequent than annually for your riskiest vendors and no less than every two years for any ongoing vendor relationship. Think about how much your organization has evolved in the last two years and how your risk appetite has also changed, that same level of change is also likely to occur at your vendors.
While it is good to periodically re-evaluate your vendors, there is still a large risk of something changing for the worse between those reviews. Obviously no one has the resources to continuously look for issues with your vendors so this is where we have to turn to services. Service providers like SecurityScorecard can look for changes in the external profile of your vendors and proactively alert you so you can dig into it more. There are also services like Cybelangel who can scan dark web forums and repositories for issues and alert you. The easiest and cheapest way I’ve found though is to join special interest groups and network with those people to hear good analyses of the latest security news. Your industry’s ISAC could fill this role or services like Cybersecurity Collaborative or IANS could as well.
Marketing Your Company
But the same way you evaluate your vendors can be turned around and used to present your hard work in security as a selling point for your company. Think about all the questions you are asking of your vendors and see if you have the same answers for your prospective clients. Is there a way to proactively answer those questions without disclosing confidential information? You should also look for tools to give your sales and marketing teams for referencing this information. The faster they can get this data in front of prospects, the stronger your company will look. The need for this is more amplified in regulated spaces like healthcare and finance. You can show your sales prospects that they can save time and energy when doing their initial and ongoing due diligence efforts.
Parting Ways
No vendor relationship is going to last forever, so it is best to plan how you intend to off-board that vendor before the time comes. This may not be necessary for very low risk vendors but is a must for your high-risk ones. Failure to manage this process could result in vendors having access to your systems well after the contract ends. I’ve seen companies outsource their IT functions only to have to spend years unwinding the hooks they had into their systems. Had those companies planned ahead, the roll off could have been much smoother.
To make this process easier, document more when you are evaluating the vendor and save all the project documents used during implementation. Ask yourself questions like these and see if they are documented, or better yet ask them during a re-evaluation and see if you can find the answers without difficulty:
What access does the vendor have? Be specific and note what environments they are in and what physical or virtual resources they can access.
What systems depend on this vendor? Modern infrastructure is a complex web of dependencies, pulling out this vendor may have unknown consequences down the line if not properly documented.
What is the time period needed for cancellation? Many contracts stipulate that you must let the vendor know 60 or 90 days in advance that you’re canceling.
Who are the stakeholders for this vendor in your organization?
Are there any bilateral agreements that need to be handled carefully?
Think through these questions and what you might add that could be specific to your organization and what questions could apply to different risk tiers in your vendor management program.