The recent flurry of supply chain attacks has left a trail of carnage spanning across the globe.
Because supply chain attacks compromise a higher number of victims with less effort, cybercriminals are unlikely to forgo this efficient attack method without a fight.
A recent study by Sonatype confirms that supply chain attacks are on the rise, and according to IBM, the global average cost of a data breach is currently US$ 3.86 million
So the chances of suffering a supply chain attack are higher and the repercussions are more costly than ever before.
To further amply the seriousness of the current threat climate, a 2018 study by the Opus & Ponemon Institute found that 59% of analyzed companies experienced a third-party breach and only 16% said they had an effective third-party risk program in place.
Keep in mind that this study was conducted in 2018, and according to the data in Figure 1, supply chain attack incidents have increased by almost 500% since 2018-2019.
These statistics should provoke CISOs to urgently increase the resilience of their vendor security program before it's too late.
We've compiled a free checklist to help CISOs identify the critical areas that constitute a successful Vendor Risk Management (VRM) program.
Essential Vendor Risk Management Knowledge
To ensure you get the most value from this checklist, we're setting the stage by answering some of the common questions concerning vendor security. If you prefer to skip ahead to the checklist, click here.
What is a Vendor Risk Assessment (VRA)?
A vendor risk assessment is a process of evaluating the potential security risks associated with a vendor's operations and products. The criticality of these security risks is determined by the potential impact on your business and its sensitive data.
Vendor risk assessments, also known as Third-Party risk assessments, help security teams determine the likelihood of a particular vendor suffering a data breach and surface the necessary steps required to diminish this likelihood.
The purpose of vendor risk assessments is to help organizations understand the security risks associated with each vendor. This helps them decide whether a potential vendor is safe to onboard, and what needs to be done to secure existing vendor relationships.
Learn more about vendor risk assessments.
What is Vendor Risk Management (VRM)?
Vendor risk management is the overarching effort of identifying, remediating, and monitoring third-party risks. It includes the governance of vendor risk assessment creation and vulnerability remediation.
What Should Be Included in a Vendor Risk Management Policy?
The purpose of a vendor risk management policy is to keep all stakeholders informed of the details of a vendor risk management program.
This policy should include the following details:
- Identify the people that will be involved in the vendor management program, and their roles and responsibilities.
- Identify all of the security controls that will be used in the vendor management program.
- Outline the protocols for vendor due diligence.
- Identify the specific vendor risk assessment that will be used
- Discuss the proposed Incident Response Plan (IRP)
- Explain how stakeholders will remain informed about the efforts of the Third-Party Risk Management program.
What are the Risks of Vendor Risk Management?
Ironically, vendor risk management is not without risks of its own. This is because VRM is powered by cloud solutions that expand a company's digital landscape and increase digital risk.
This risk is not unique to vendor risk management, it's an inexorable by-product of digital transformation - the more digital solutions you append to your resources, the larger the potential attacks surface.
The solution to mitigating this risk is to implement an attack surface management solution that can detect and remediate vulnerabilities caused by digital transformation so that critical programs like VRM can be embraced without concern.
Learn why VRM is particularly critical for businesses in India.
What are the Different Types of Vendor Risks?
Before vendor risk can be rated, all vendors need to be identified. This process isn't so straightforward if your organization works with contractors.
The IRS has developed a checklist to help such organizations establish clear dividing lines between contractors, employers, and third-party vendors
Though the specific details of vendor risks differ across each industry, at a high level, each industry can benefit from a single VRM framework. This includes the same classification model for vendor risks.
There are 5 levels of vendor risks. The severity of each risk depends on the sensitivity level of the data. being accessed.
The above graphic can be used to complete a preliminary risk analysis to evaluate each vendor's level of access to private resources. A more in-depth risk analysis is then completed when each vendor's security posture is calculated.
How Do You Evaluate a Vendor's Security Posture?
Security posture is a complicated calculation that's best entrusted to a dedicated calculator to ensure accuracy. But it can be estimated as a degree of acceptance, rather than a numerical value, by following the process below.
A vendor risk profile determines types of risks security teams will be addressing beyond a set risk threshold
The risk threshold (or risk appetite) is a function of both the inherent risks and residual risks within the ecosystem.
Learn more about the difference between inherent and residual risks.
Learn how to calculate risk threshold.
Once your risk threshold is defined, it should be used to create a threat matrix or threat model. A threat matrix determines the severity of each assessed risk (x-axis) and the likelihood of exploitation (y-axis) relative to the set risk threshold.
This risk matrix is then used to evaluate the resilience of specific security policies in a vendor's security program. This information is most efficiently obtained through vendor risk assessments.
Related: Vendor risk assessment questionnaire template
Each vendor questionnaire response is reviewed with the threat matrix and assigned a risk rating.
The average number of responses of each risk type provides a very loose estimation of a vendor's security posture
This arduous manual process can be replaced with a vendor risk monitoring solution capable of instantly calculating vendor security ratings. This is especially useful for organizations with a comprehensive vendor network.
Do Your Vendors Need to Comply with Regulatory Standards?
Regulatory compliance ensures businesses are equipped to defend against the cyber risks that are specific to their industry. As such, regulatory compliance standards differ across each industry.
Here is a list of popular information security compliance standards. Compliance with specific standards is mandatory for highly regulated industries, such as healthcare and finance.
- NIST (National Institute of Standards and Technology)
- CIS Controls (Center for Internet Security Controls)
- ISO (International Organization for Standardization)
- HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
- PCI-DSS (The Payment Card Industry Data Security Standard)
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- AICPA (American Institute of Certified Public Accountants)
- SOX (Sarbanes-Oxley Act)
- COBIT (Control Objectives for Information and Related Technologies)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- FedRAMP (The Federal Risk and Authorization Management Program)
- FERPA (The Family Educational Rights and Privacy Act of 1974)
- ITAR (International Traffic in Arms Regulations)
- COPPA (Children’s Online Privacy Protection Rule)
- NERC CIP Standards (NERC Critical Infrastructure Protection Standards)
UpGuard supports a range of security questionnaires to meet many of the popular compliance requirements vendors are bound to.
Here's a list of the security questionnaires available on UpGuard:
- CyberRisk Questionnaire: provides a comprehensive assessment of an organization's security posture.
- ISO 27001 Questionnaire: Assesses an organization's security posture against the ISO 27001 standard with risks mapped against ISO 27001 domains.
- Short Form Questionnaire: a condensed version of the CyberRisk Questionnaire.
- NIST Cybersecurity Framework Questionnaire: Assesses an organization's security posture against the NIST Cybersecurity Framework.
- PCI DSS Questionnaire: Assess an organization's adherence to the twelve requirements of PCI DSS.
- California Consumer Privacy Act (CCPA) Questionnaire: Assesses whether a vendor is compliant with the personal information disclosure requirements outlined in CCPA.
- Modern Slavery Questionnaire: Designed to identify modern slavery risks, address identified risks, and highlight areas requiring further due diligence.
- Pandemic Questionnaire: Assesses the impact of any current or future pandemics.
- Security and Privacy Program Questionnaire: Focuses solely on an organization's security and privacy program.
- Web Application Security Questionnaire: Focuses solely on an organization's web application security controls.
- Infrastructure Security Questionnaire: Focuses solely on an organization's infrastructure security controls.
- Physical and Data Centre Security Questionnaire: Focuses solely on an organization's physical and data centre security controls.
- COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
- ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
- ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
- GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
- CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
- NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.
- SolarWinds Questionnaire: Designed to help you assess your vendors that may use SolarWinds.
- Kaseya Questionnaire: Determines if you or your vendors were exposed to the sophisticated supply chain ransomware attack.
The details of specific vendor security efforts can be scrutinized with custom questionnaires.
Free Vendor Risk Management Checklist
Now that the essential background information has been covered, the following checklist will help you address all of the important aspects of Vendor Risk Management (VRM).
Important:
Vendor Risk Management is a comprehensive security program requiring the combined efforts of third-party risk analysts and vulnerability detection software.
This complex and ever-evolving field of cybersecurity cannot be regulated with a single checklist. The following checklist should, therefore, only be used to identify deficits in your current VRM that can then be strengthened with an industry leading vendor risk management solution.
For a more comprehensive guide on Third-Party Risk Management (TPRM), refer to this post.
This checklist can also be downloaded as a PDF by clicking here.
1. Assessing the Security Posture of Prospective Vendors
Address each of the following items when considering potential vendors.
🔲. Vendor has provided evidence of successful historic partnerships in a similar industry.
🔲 Vendor has provided evidence of compliance with mandatory regulatory standards (ISO27001, NIST, etc).
🔲 Vendor is requesting a reasonable level of access to sensitive resources.
🔲 Vendor has implemented a clear and resilient supply chain security program.
🔲 Vendor offers an acceptable service level agreement (SLA) that can confidently be maintained in the event of a cyberattack.
🔲 Vendor had demonstrated how they plan to keep your business informed about cyber-incidents impacting their ecosystem.
2. Defining Clear Processes for Detecting Third-Party Risks
Ensures your organization is capable of rapidly detecting and prioritizing risks.
🔲 A list of all current and historical vendors is maintained and always kept up-to-date
🔲 Each vendor's access to sensitive resources is confirmed to be the minimal level of access required to meet business objectives.
🔲 All detected vendor risks are ranked by magnitude of impact to your organization in the event of exploitation.
🔲 Each vendor's security posture is regularly assessed.
🔲 Vendors with the highest level of access to sensitive customer data are assessed at a higher frequency and with stricter security standards
3. Managing Vendor Risks
Ensures you have a process in place for mitigating the chances of vendor vulnerabilities being exploited.
🔲 Establish a clear Incident Response Plan for all vendor-related cyber incidents.
🔲 Set clear cybersecurity expectations about how vendors are to respond to cyber threats and how they should keep your organization informed.
🔲 Identify all regulatory compliance standards that apply to all vendors.
🔲 Establishing a regular schedule for scrutinizing vendor regulatory compliance.
🔲 Establish a process for monitoring each vendor's security efforts.
🔲 Ensure all vendors have implemented multi-factor authentication.
🔲 Ensure all vendors are encrypting their data with the Advanced Encryption Standard (AES).
🔲 Ensure vendor software is protected with the latest patches.
🔲 Regularly audit vendors to ensure they are meeting regulatory security requirements, your personal security requirements, and SLA requirements.
4. Keeping Stakeholders Informed About Vendor Security Efforts
Ensures that management and stakeholders are kept informed about your third-party security efforts.
🔲 Establish clear communication channels between vendors and your internal security teams.
🔲 Establish clear communication channels between your security teams and stakeholders.
🔲 Establish a regular schedule for sharing reliable and actionable vendor cybersecurity information across all channels.
🔲 Establish channels for keeping our security teams informed about global developing cyber threats.
UpGuard: The Vendor Risk Management (VRM) Solution for CISOs
UpGuard empowers CISOs to take confident control of their Vendor Risk Management program with a single, clean digital platform - replacing the logistical nightmare of managing multiple excel spreadsheets.
UpGuard supports all of the essential components of a successful Vendor Risk Management program:
- Vendor security posture monitoring - UpGuard's single-pane-of-glass view gives stakeholders and security teams instant visibility into the state of security of the vendor network
- Third-party attack surface monitoring - UpGuard rapidly detects third-party, and even, fourth-party vulnerabilities before they develop into third-party reaches and supply chain attacks.
- Remediation management - The remediation efforts of all detected vulnerabilities can be managed and tracked straight from the UpGuard platform, supporting rapid incident response times.
- Regulatory compliance - UpGuard offers a wealth of security questionnaires to support popular regulatory compliance standards.
- Custom security questionnaires - UpGuard offers a custom security questionnaire builder to support bespoke vendor security programs.
- Executive repot generation - UpGuard's executive report generation feature allows you to instantly inform the leadership team of the complete scope of your VRM efforts.
- Cost-effective TPRM scaling - UpGuard offers a team of cybersecurity experts that can manage vendor assessments and data leak security on your behalf. This unit can be augmented with existing security teams to efficiently scale a TPRM program.