The essentials of vendor risk management

You can’t have trusted partners without a risk management program

Today, it’s common for companies to outsource their noncore functions to vendors. It makes good business sense to focus company resources on your business and let other companies handle the standard IT infrastructure but only if the associated risks are identified and managed. Companies rely on vendors and cloud-based applications and networks (AWS, SaaS, etc.) to manage their CRM, back-office, and e-commerce infrastructure. This dependence on vendors increases efficiency, but it also increases your company’s susceptibility to threats.

Gartner defines vendor risk management as “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. Vendor risk management technology helps enterprises to assess, monitor and manage their risk exposure from third-party suppliers that provide IT products and services, or that have access to enterprise information.”

Vendor risk management is an essential and ongoing process

Using third-party vendors is now an accepted and integral part of operations, but it’s also the practice that makes businesses most vulnerable. Developing a risk management program that addresses vendor risk is essential for every business in the modern era of outsourcing. Before you purchase new technology, you should define the current and expected business requirements, areas of risk within the vendor relationship lifecycle, and the types of vendors that need to be managed.

When you have established this definition of your end-state vendor risk management environment, audit your current solutions to identify how well your current processes are working. As you review your vendor risk management processes and tools, look for opportunities to streamline existing processes. Use this assessment to evaluate new (or enhancements for your current) vendor risk management tools.

Keep in mind that because your company’s network security environment and solutions infrastructure continuously evolve, it’s a good idea to periodically assess your company’s vendor risk management tools and processes.

Essential capabilities for vendor risk management

Your business should receive the secure support you need while maintaining control, ensuring industry compliance, and creating audit trails. At the very minimum, your vendor risk management solution should have tools that authenticate, audit, and control access by employees and third-party vendors. Be sure to review workflows and user interfaces; usability is essential for encouraging compliance with your processes. You should look for a solution with tools that:

  • Standardize and integrate remote support on one platform
  • Control remote access for all vendors with easy and intuitive tools
  • Ensure compliance with all regulatory and company policies
  • Manage identity and permissions by roles
  • Manage passwords and multi-factor authentication
  • Support complex remote support by vendors and single sign-on (SSO) across platforms
  • Securely manage, rotate, and insert privileged credentials
  • Track and monitor all activity of all users to enable early intervention and accountability
  • Control access across multiple operating systems and devices
  • Enable collaboration and chat among users
  • Integrate with CRM solutions
  • Provide granular, directory-based access controls and scheduling
  • Provide granular command filtering and canned scripts

Companies are investing in vendor risk management tools and processes to implement programs that provide protection even when the technology environment and business models change. With the right solution, you can increase efficiency, reduce costs, and improve service while mitigating your risks.

The post The essentials of vendor risk management appeared first on SecureLink.



*** This is a Security Bloggers Network syndicated blog from SecureLink authored by Tony Howlett. Read the original post at: https://www.securelink.com/blog/the-essentials-of-vendor-risk-management/

Tony Howlett

Tony Howlett

Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.

tony-howlett has 25 posts and counting.See all posts by tony-howlett