Risk management of critical vendors who support technology and/or security solutions - Strategy Roadmap

Almost all organizations need the support of Information technology product and service vendors. During this collaboration process, often the vendors and their vendors may have to access the organization's data. Companies must determine which vendors get what level of access to data and how. All the preceding requires organizations to implement a comprehensive risk management strategy.

The vulnerability risk management begins with evaluating vendors before establishing a contract of potential risks when providing access to data.

Failing to plan and implement a comprehensive risk management strategy can have a negative impact:

• Vendors are a major source of data breaches of regulated data
• Data breaches can lead to significant reputation and financial damage
• Breach of legal or compliance regulations
• Wi-fi hacking, Distributed denial-of-service (DDoS) attacks are rampant
• Loss of intellectual property, if a vendor has access to proprietary information and compromises or steals it to use and present as their own.

Vendors can improve trust by properly documenting policies that the sponsor organization requires. Vendors should educate employees at all levels of the importance of third-party security.

A comprehensive risk management strategy:

• Helps identify and decrease business uncertainties and legal liabilities regarding hiring the vendor
• Enables you to know if your vendor can truly support your organization, perform the tasks you've contracted them for, or cover your losses should a breach from their end occurs.
• Ensures that your organization is able to manage compliance risk and pass compliance audits

What the risk management strategy should include

• What is the type of data you are sharing with the vendor?
• How is the data shared?
• Who has access to the data?
• How will the data be stored?
• How will the data be destroyed?
• How will the process be audit and at what frequency?

Implementing risk management in the initial vendor selection process

The first step in the risk management process is the selection of the right vendors. Exercise due diligence to ensure verification of the following key areas:

• Background
• Performance history
• Financial health
• Market reputation
• Policies in place within the vendor organization
• Compliance
• Stakeholders and management team
• Civil or criminal lawsuits against your vendor or its stakeholders

The above is a partial list of the areas of vendor selection process. Once you have the information, develop a risk profile identifying the possible risks. To build risk profiles, develop well-designed risk assessment questionnaires. In building risk reviews/questionnaires, there are no specific rules to follow. Use these tips to build questionnaires:

• Create a refined and specific set of questions that align not only with your risk appetite but with the particular vendor's risk level and service provided.
• Provide clear instructions and use simple language
• Avoid open-ended questions wherever possible
• Organize questions into sections relating to specific risk domains
• Be consistent. Align the sections and questions and scoring.
• Review your questionnaire(s) annually (or sooner if market conditions change)

Armed with answers to the questionnaires, develop risk assessment profiles identifying possible risks. Next establish a risk management strategy specifying the essential steps to mitigate those risks. If you already have a strategy, you may need to modify a clause in the strategy document for each vendor with whom you choose to work with. Once you have developed the strategy, review your vendor periodically using the strategy document.

Proposed vendor security sections for inclusion in the questionnaire:

• Data backup and recovery
• Security policy and administration
• Secure software engineering and vulnerability scans
• Single sign-on integration (SAML 2.0 connector)
• Service organization control (SOC) reports
• Technical and customer support

1. Enlist all the names of vendors whom your organization works with. Put them in order of priority based on level of security risk each vendor poses to your organization. This will enable you to allocate and organize your internal resources to manage the high risk critical vendors.
2. Build and implement a security framework that aligns with your organization's objective and maps with the compliance requirements. For example, if you are regulated by the Health Information Portability and Accountability Act (HIPAA), your vendor must also comply with it.
3. Involve your legal team to prepare contract that outlines your organization's relationship with the vendor.
4. Document the vendor selection process and criteria, the vendor details, the audit reports of each review that takes place at the vendor's site.
5. Perform periodic reviews. Audit the clauses included in the strategy document frequently to make sure they are adhered to. Such periodic reviews will ensure that your vendor meets the regulatory compliance requirements.
6. Enlist the 4th party vendors and perform periodic assessments of your vendor's policies for its vendors.
7. Create documentation of the risks you identify during the audits with necessary steps to mitigate the risk.
8. Train those employees involved in the process identifying why the process is critical and a clear escalation line for any problems.

Tools and resources that help in risk management

• Risk management questionnaires, templates and process documents that maps to your organization. Prepare these during the vendor evaluation process.
• Webinars, seminars that educate the management and staff about risk management and compliance areas
• Best practice, compliance, and regulatory standards. Some of them include:
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Sarbanes-Oxley Act
• The Gramm-Leach-Bliley Act
• The Foreign Corrupt Practices Act (FCPA)
• The Payment Card Industry Data Security Standard (PCI DSS)
• The UK Bribery Act
• NIST 800-53
• NIST Cybersecurity Framework

Get to know your vendors well, compile as much information before developing the strategy. Perform physical verification and utilize publicly available information from social media, google alerts, etc. The purpose is to mitigate risk for your organization and for your vendor.

Experience the unique opportunity to develop critical risk management skills to apply immediately upon returning to the office by attending the seminar 'Critical Vendor Risk Management'. In this fast-paced, highly interactive workshop attendees will develop a risk profile and risk management strategy using one of their own current or future vendors of choice.

The speakers are Rayleen M Pirnie, and Karen L Garrett. Rayleen's educational programs provide real-world, actionable information for financial institutions and businesses on topics ranging from payments risk management to information security. She authors payments risk and fraud blogs geared toward helping organizations recognize threats and protect themselves from loss. Karen L Garrett advises financial services businesses on payments, third party risk management, regulatory and operations matters, product development, compliance, M&A and other legal issues. Karen represents financial companies in connection with licensing applications and enforcement orders.