Third-party risk assessment checklists are growing more necessary with the expansion of digital transformation. Organizations of all sizes are vulnerable to back-door attacks in ways that they weren’t a decade ago.
Imagine that your company spent thousands of dollars and hundreds of work hours meeting compliance standards. You invested in risk assessments, penetration testing, and you have a strong policy for software patching and employee phishing training. And after all you’ve done, your network is compromised thanks to lax cybersecurity on the part of one of your third-party vendors.
Unfortunately, the scenario above was true for over half of the security breaches in 2018, and the number of back-door hacks through third-party vendors is rising. It’s for this reason that your organization may require a third-party vendor management checklist.
What is a Third-Party Vendor Risk Assessment Checklist?
A vendor risk assessment checklist is an internal document that your cybersecurity team can use to ensure that you are safe from cyber attacks through third party vendor vulnerabilities. Typically, your vendor risk management checklist is one piece of a broader vendor management cybersecurity policy.
The purpose of this guide is to discuss whether or not your organization needs a third-party vendor management checklist. If it does, then we’ve outlined a working checklist to get you started on establishing a sustainable third-party risk management strategy.
How Do You Know if Your Business Needs a Third-Party Vendor Management Checklist?
It’s true that not every organization needs a third-party vendor management checklist. If your operation is small and doesn’t manage sensitive data – like consumer personally identifiable information (PII), employee, or proprietary information – then a vendor risk management checklist may not be necessary.
Also, if you do not allow any vendors access to sensitive information, you may not need a vendor risk assessment checklist. However, you may need to have one if you intend to share sensitive information or grant network access to a third-party in the near future. Here are three reasons that your business may need a vendor management checklist.
If Any Third Party Vendor has Access to Your Network or Data
Most businesses partner with a third-party to serve clients. If any vendor has access to your network or data, then there’s a good chance that your business needs a vendor management checklist. This access could include remote access or vendor employees that visit your campus to fulfill their contracted services.
If Your Business Must Meet Data Security or Consumer Data Privacy Compliance Standards
Organizations that collect, manage, and share consumer data are accountable to at least one – usually more than one – set of consumer data privacy laws. Those organizations managing medical data must meet strict compliance standards relating to consumer data privacy and cybersecurity measures. If your business is one of those organizations and partners with vendors in any capacity, you will most surely need a vendor management checklist.
If the Value of the Data Exceeds Prevention Costs
Your business and client information holds a certain amount of monetary value. Should you lose the data, you should know the financial loss associated with that lost/stolen data. If those costs exceed the cost of preventative measures – such as cybersecurity, third-party vendor management policies, penetration testing, etc. – then you must make sure that your vendors do not compromise that security.
What is Included in a Vendor Risk Assessment Checklist?
If you’ve determined that your organization needs a third-party vendor management checklist, then the following set of questions will help you establish a third-party management program.
It’s important to keep in mind that this questionnaire is by no means exhaustive. Your checklist may need to be more or less detailed depending upon your industry and the nature of your business.
Is your organization compliant?
This should go without saying. However, a surprising number of organizations concerned with third-party risk fail to meet minimum cybersecurity standards themselves. Investing in your own cybersecurity by ensuring compliance, training staff, and maintaining patching/updates is the first critical step in securing your network.
Have you created a vendor management cybersecurity policy?
If you work with or plan to work with third-party vendors, then company decision-makers should have a clear third-party management cybersecurity policy. The policy should outline how you determine if a vendor is a good choice, as well as how you engage your vendors on security controls. Your vendor risk assessment checklist forms only a piece of your overall vendor management policy.
Do you have an accurate, up-to-date data map?
Your data map shows all information that flows in and out of your organization. As you onboard new vendors, you should have a clear picture of which vendor will have access to what data.
Did you perform due diligence on the third-party vendor to validate their credibility?
Your vendors should have valid articles of incorporation, business licenses, proof of relevant compliance, physical locations in accordance with relevant compliance standards, and a list of credible references. You should also check to see if the vendor is on any watch lists (including a global sanctions list), has hired any legally-suspect key staff, or is currently undergoing criminal or civil litigation.
Is the third party vendor in any kind of financial duress?
It is appropriate to examine available financial statements and tax documents from your third- party vendors. Financial vulnerabilities often translate into mismanaged security.
Does the vendor have a history of security breaches?
Vendors with a history of security breaches could indicate poor security policies and procedures. If they have endured a breach in the past, they should provide proof that they’ve performed the necessary updates and penance projects to secure their and their clients’ networks.
Have you reviewed the vendor’s cybersecurity policies and procedures?
Examining your vendors’ cybersecurity policies and procedures is a great indicator of how seriously they take their security and the security of their clients.
Have you reviewed the vendor’s incident response plan?
It’s critical that your vendor have a process for dealing with security incidents, no matter how small. Breach attempts often signal vulnerabilities. Organizations that monitor those attempts and patch software weaknesses are in a good position to protect their and your data.
Does the vendor contract clearly state security expectations?
Third-party vendor contracts should reflect your vendor management expectations as stated in your vendor management cybersecurity policy.
Does the vendor contract allow you to terminate the work agreement if the vendor fails to meet security standards?
Should it become apparent that one of your vendors is negligent or dishonest about their security policies and procedures, you must be free to take your business elsewhere.
Is the vendor willing/able to disclose cybersecurity risk assessment results?
A risk assessment is one of the best ways to quantify cybersecurity risk in real dollars and cents. Reviewing a vendor’s assessment results will give you a clear picture of your third-party risk.
Is the vendor willing/able to complete third-party risk assessment questionnaires as needed?
Most vendor management policies include recurring security questionnaires. How your vendors answer these questionnaires is also a valid way to assess your vendor risk.
Is the vendor willing/able to provide penetration testing results?
If your vendors are serious about cybersecurity, they’ve likely invested in penetration testing. Reviewing those pen test results will help you further measure up your vendor’s security policies and procedures.
Do you have someone assigned to manage your third-party risk?
The most important part of your vendor management cybersecurity policy is assigning a person or team to monitoring third-party risk. Outlining vendor management responsibilities ensures that your vendors don’t compromise your data or network.
If your organization manages sensitive information and hires third-party vendors to handle certain tasks, you more than likely need a vendor management cybersecurity policy and a third- party vendor management checklist.
At RSI Security, we assist small and medium-sized businesses with affordable and reliable cybersecurity support. Our third-party risk management services oversee all matters pertaining to vendor risk management and back-door cyber attacks.