As the result of several recent cyber attacks on the healthcare supply chain, the American Hospital Association (AHA) and Health Information Sharing and Analysis Center (H-ISAC) issued a joint warning for healthcare organizations to increase focus of third-party security. For organizations that are already short on resources and staff, adding Vendor Risk Management process can seem daunting and expensive.
At Information Shield, we have helped hundreds of organizations pass cyber assessments from customers, insurance providers and regulators. In this article we cover the critical cyber security controls for assessing and managing third party risk and provide some “lessons learned” from the trenches.
Vendor Identification
This seems obvious, but the first step in vendor risk management is to identify vendors that pose a serious cyber risk. The recent healthcare attacks have been on Blood Centers, disrupting the collection and management of blood in the supply chain. Every business has a unique set of suppliers that are critical to the business and beyond traditional IT. To identify vendors that pose a potential cyber risk, you often have to start with a list of all vendors.
The Vendor Identification process is typically done as part of an Asset Inventory. While many organizations consider only Information Technology Assets, an Asset Inventory should also consider dependencies such as third-party vendors that support key processes. Since it must up updated periodically, the IT Asset Inventory is an ideal place to record the list of vendors.
Lesson Learned: Unfortunately, identifying ALL vendors can be difficult. In most places, the Accounting Department may have the only reliable list of vendors. If you are struggling to find your list of vendors, check where the money flows.
Vendor Risk Categorization
The next step is to Categorize your vendors based on cyber risk. In other words, how serious is the potential impact of an incident with this vendor? Does the vendor collect or process PII that could trigger breach notification? For example, vendors who provide critical IT services or those that provide critical environmental controls should always be on top of the list. Organizations should develop a list of third-party attributes that will help determine the potential cyber risk of any organization. For example, we provide a Vendor Cyber Risk Scoring assessment within ComplianceShield.
Lesson Learned: Start simple. Divide your vendors into three risk categories: Low, Medium and High. And then create three different Vendor Assessments based on the risk profile. The higher the risk the more questions and the more details required for each answer.
Risk Categorization is a must. Create a Risk Categorization Standard that determines which attributes of the organization qualify as potentially high cyber risk.
Vendor Cyber Risk Assessment
The next step is to “Assess” the cyber risk of vendors based on their risk category. The assessing organization sends a set of cyber assessment questions to each vendor. The responses dictate the level of Cyber Risk Maturity of the organization. What SHOULD happen is that each vendor gets assessed based on their actual cyber risk.
Vendor Risk Assessments are typically put into a spreadsheet or online form. Organizations then send the Cyber Assessments manually (via email) or use an automated Vendor Management Program. Automated tools can save hundreds of hours, as long as they don’t cost more in setup than the time they are saving. Correlating results across many vendors without automation is very time consuming and prone to error.
Lesson Learned: The biggest mistake we see is treating ALL vendors as though they are high-risk. In healthcare, for example, vendors who provide mailing services are treated as having the same cyber risk as medical records providers. If you organization does this, you will not only add months to each assessments, you will get bad results.
Another key factor is to make sure your Cyber Vendor Assessments have questions that (1) Are easy to understand, and (2) have a defined set of answers with clear instructions. We often see clients struggle to answer questions with only a “Yes/No” option.
Lesson Learned: Not all Assessments are created equal. If you send assessments with “Yes/No” responses, or ask questions that really do not apply based on the business you are assessing, you will waste hundreds of hours and get terrible results.
For example, even though the Vendor does not have a private network, the assessing organization will ask for a Network Diagram. Not only does this waste dozens of hours as vendor try to comply, it provides absolutely zero assurance to the company doing the assessment.
Third Party Risk Remediation
This is by far the most challenging phase of the vendor risk management process. Typically some percentage of your vendors will come back as “insufficient” in the implementation of the controls. (Again, the Vendor Risk Management Team should come up with a set of metrics for assessing cyber maturity.) For example, many organization do not have an active “Disaster Recovery Plan” that has been adopted and tested. Other times, the organization has outdated or insufficient Information Security Policies. Now the organization must make a choice: How do we handle vendors who are “out of compliance”?
The Binary Non-Compliance Decision
There are two typical responses to vendors identified as “not compliant”: (1) Completely stop them from doing business, or (2) Create a remediation plan. This is where it gets tricky. No organization can FORCE a vendor to implement controls. So the default reaction is often to threaten losing business.
Lesson Learned: Do not make vendor assessment a binary decision. There is no “go/no go” in the real world of cyber assessment. In practice, we see many companies on the verge of losing customers because the Customers doing the assessments have a poorly designed cyber risk management program.
An Effective Third Party Remediation Plan
By far the most productive approach is to create a “remediation plan.” This is a formal response to the vendors that identify certain parameters:
- What Control needs to be improved;
- A Target Date for control implementation;
- Agreed-Upon metrics for “Completion”
Without these three elements, Vendors can be left floundering for months trying to hit a moving target. As noted above, companies cannot pass assessments with vague descriptions of “done.” Provide a clear example of what evidence would support a status of “complete.”
So for proper vendor remediation, don’t stop your Vendor from doing business, but instead tag them as “Under Remediation.” The critical part is that these remediation plans, controls and dates must be tracked. If the organization has hundreds or thousands of vendors, this is nearly impossible without an automated vendor risk management tool.
A Continuous Vendor Risk Management Process
Vendor Cyber Risk Management is now part of every major cyber security framework. (ISO 27002, HIPAA, PCI-DSS, FTC, NYS-DFS, CMMC, etc.) This implies that controls for third party risk management should not be treated as a one-off event. In fact, some vendor remediation efforts take so long that the Vendor is up for renewal before the previous assessment is complete!
Lesson Learned To effectively integrate third party risk management into your cyber program, Vendor Risk Management needs to be an ongoing part of cyber governance. This implies that the critical steps of Identification, Assessment and Remediation are part of your internal control framework.
Need to build an effective third-party risk management program? ComplianceShield has everything you need in a single, integrated package. Vendor Risk Management Policies, Vendor Assessment Library, Vendor Cyber Risk Scoring and Vendor Risk Management Automation. Get a demo today.