third-party security policies, Vendor Risk Management
How to Simplify Vendor Risk Management
Every major cyber security framework and law requires that an organization must manage the cyber risk of third party vendors. In fact, vendor cyber risk management must now be considered “best practice” for having a defensible cyber program.
Over the last several years, many vendor cyber risk management tools have entered the market. In general, they are like most cyber security software tools and targeted at larger businesses. However, after helping hundreds of customers pass these vendor cyber risk assessments, they are generally overkill and rarely apply correctly to the business being assessed. Worse yet, we still see large organizations using the Shared Assessments (TM), a massive spreadsheet which contain hundreds of assessment questions. Not only are these assessment large, they provide little guidance on how to answer them.
The Flawed Cyber Vendor Assessment Process
So here is the result of this currently flawed process:
- Vendors Don’t Answer the Questions Correctly – Most vendors we talk to just stare at these massive spreadsheet questions and have no idea where to start or how properly answer them. This leads to two other major problems.
- Organization’s Vendor Assessment Process takes months – We often see a vendor take 6 to 9 months to finish an assessment. In many cases they have to hire consultants to help with process.
- The Organization gets bad results – Since the questions don’t properly match the organization, and the organization has no good wat to answer, the “results” are terrible. This makes the entire VRM process a huge waste of time and money
Improving Vendor Cyber Risk Assessments
Information Shield is helping solve this problem in two major ways. First, we are dramatically simplifying the Vendor Cyber Risk Management process via ComplianceShield. Now small and medium organizations can have the same functions as larger ones at a reasonable cost.
Second, we are improving the results by introducing the Common Vendor Assessments (CVA). This is a new set of vendor risk assessments that more clearly map to the actual functions of the organization. For example, a smaller organization running a SaaS business has different cyber risks than a large retail company.
Finally, customers can use the Cyber Risk Score (TM) assessments to make a fast, initial estimate of the real ‘inherent’ cyber risk of a vendor or supplier. This initial assessment can produce a more effective process with better results that can easily be compared among vendors.
Try out these new features with a FREE TRIAL of ComplianceShield. It takes less than 5 minutes to get started.
Table 1: Example list of Cyber Frameworks that require Vendor Risk Assessment
| Cyber Security Framework | Vendor Risk Requirement |
| ISO 27002:2022 | 5.19 Supplier relationships |
| NIST CSF | DE.CM-6: External service providers |
| Center for Internet Security (CIS) | CIS 8: 15 Service Provider Management |
| HIPAA | Business Associate Contracts 164.308(b)(1) |
| NYS-DFS | Manage Third Party Vendor Risk (500.11) |
