Vendor risk management describes the combined processes of third-party vendor management and cybersecurity risk monitoring (Tunggal, 2023). Third-party vendors include cloud solution providers, information technology companies, or other vendors of other outsourced services. Healthy connections between a company and a vendor require the utilization of high-level assessments for security controls in relationship management. A vendor risk management plan is a service level agreement that details the arrangement between the company and the vendor and details how they plan to maintain compliance and ensure vendor performance overtime. Risk scoring methods and algorithms are used to generate quantifiable data that can help organizations conduct better risk management practices with the many third-party vendors also in consideration.
A company that uses any sort of outsourcing or otherwise obtains a product or service should understand and document the risks involved with third-party vendors and have an organization-wide plan to minimize the specific risks associated with each third-party vendor that the company is involved with. Currently, it is not uncommon for the operations of organizations to utilize the products and services of over 1000 third-party vendors. It is imperative that the security risks involved with third-party relationships are managed throughout the entirety of their lifecycle so that the attack surface and risk to the organization can be minimized.
Third-party and Fourth-party Vendors
While a third-party vendor includes any outside provider of a product or service to the organization, a fourth-party vendor describes a supplier of a third-party vendor which can indirectly influence the organization as a supplier to the third-party vendor (Chipeta, 2023). Fourth-party risk basically aims to measure the risk that is inherited through the supply chain. To an information security team, the risks associated with third-party vendors and fourth-party vendors pose equal levels of threat and both contribute to the same overall attack surface which must be integrated into the vendor risk management plan. The existence of fourth-party vendors creates an environment that makes it important for each organization to have their own individual vendor risk management programs. It is also important for organizations to try to gain as much information about their vendors and supply chain as possible so that they can receive relevant information in a timely fashion which might warrant a response or change within the organization in the case of a security incident. If a fourth-party vendor is the victim of a data breach, the security of the third-party vendor cannot be assumed to protect the organization from harm. Regardless of where the breach occurred, the organization is responsible for its complete attack surface which includes all third-party and fourth-party vendors. Fourth-party vendors can be challenging to obtain information about or their presence might even be unknown to the organization.
Vendor Security-focused Assessments
Most of the cybersecurity breaches that are reported are caused through one of many third-party vendors which provide products or services to the organization (Evans, 2019). Because only 40% of current applications are stored on-site, most involve a third-party service vendor such as a cloud service provider. It is important that an organization’s data is accessible only to approved vendors and only while they require access to complete their tasks. Communication and transparency should be exercised and maintained between an organization and their third-party vendors throughout the life of their agreements; the documentation and information surrounding these relationships and agreements are part of the focus of vendor security-focused assessments. Other common areas of focus that are included in the vendor security-focused assessments are applicable governmental regulations, geographical data restrictions, privacy policies, encryption, offboarding security procedures, and disaster recovery planning.
Industry Standard Questionnaires
There are several industry standard questionnaires that companies can utilize in tandem with a vendor risk program to benefit the security posture of their organization such as Panorays (Goldman, 2023). Along with vendor attack surface assessment, vendor risk assessments, and continuous monitoring, industry standard questionnaires compose the four key steps that Panorays recommends for a comprehensive third-party risk management process.
Another example of an industry standard questionnaire service is UpGuard; their software service offerings include continuous attack surface monitoring and protection from third-party data leaks in addition to their questionnaires (Tunggal, 2023).
Opinion: How to Ensure Vendors Meet Security Requirements
In my opinion, the best way to ensure that vendors meet an organization’s security requirements is to adhere to an industry-standard framework and set of standards as an organization and work with third-party vendors that also use standard frameworks and standards. Companies do not have to make scrambling attempts at meeting security requirements because frameworks created by the hard work of standards organizations will provide organizational structure and a set of procedures that can ensure compliance when completed properly. Secondly, I think that to a lesser extent accountability through transparent and logged communication including industry standard questionnaires can help quantify the levels of risk involved with third-party vendors. Certifications can attest to security compatibility in organization-vendor relationships.
References
Chipeta, C. (2023). What is Fourth-Party Risk? UpGuard. https://www.upguard.com/blog/what-is-fourth-party-risk
Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262
Goldman, Dov. (2023). How Vendor Risk Management Reduces Third-Party Risk. Panorays. https://panorays.com/blog/what-is-vendor-risk-management/
Tunggal, Abi T. (2023). What is Vendor Risk Management (VRM)? 2023 Edition. UpGuard. https://www.upguard.com/blog/vendor-risk-management