Vendor Risk Assessment Using ComplianceShield
Today, most security vendor risk assessment programs are done using spreadsheets. The Company (typically a large bank, healthcare organization or retailer) must assess the security posture of their vendor. To start, the Company creates a series of assessments questions that are stored in a spreadsheet. The questions are often home-grown (developed by internal staff) or exported from a Governance Risk and Compliance (GRC) tool. The questions take different formats, with different options for answers and sometimes requests for evidence to support the answers. One thing for certain is this: The assessment that the vendor receives from Company A will not be the same as that for Company B.
Once complete, the spreadsheets are then distributed manually (via email) to the Vendors. From that point, it is up to the Vendors to determine exactly what is being asked in each question. In many cases, these vendors have no information security experience in house. (For example, they have no good way to determine what a “penetration test” even is – let alone if they need one or have already done one.) This typically sets off a process that takes many months, as the Vendor tries to determine how best to answer the assessment while determining what needs to be done to answer “yes” for as many questions as possible.
Once the Vendor starts the process of developing their answers, they must then submit the “evidence” to the Company. In many cases, the evidence material is distributed via email over the internet without any security or protection. Once all of the evidence has been submitted, all of the files must be correlated by hand back at the Company who requested the information. Each piece of evidence must be tied back to the vendor and the individual control being assessed.
This process must be repeated hundreds or even thousands of times, and then repeated annually for some high-risk vendors. In some cases, the entire process takes up to 8 months.
A Better Approach
Imagine a different process. The same Company has an account with ComplianceShield. To start the process, rather than creating their own spreadsheet, they simply select from a series of Baseline Templates that have been created by information security specialists. Unlike home-grown spreadsheets, these Baseline Templates not only contain assessment questions, but provide a mechanism for Vendors to automatically answer the questions in a standard format. (For example, ACME Financial Services selects the “Low Vendor Risk” Baseline Template.)
Now, instead of sending spreadsheets out via email, the Company instead clicks a single button “inviting” the Vendor to register for ComplianceShield. The Vendor responds and is given the option to “adopt” the Baseline Template sent by the the Company. This Baseline then becomes the “target security posture” for the Vendor. As part of the registration process, the Vendor can elect to give the Company read-only access to its reports and data.
From this point forward, ComplianceShield provides a set of tools and templates to help the Vendor organization actually build, document and implement a robust security program. For example, ComplianceShield contains a library of pre-written information security policy templates that the Vendor can use to create and update security policies. The program also has a library of Security Awareness Training that can be used to quickly train employees.
ComplianceShield is designed to help Vendors produce evidence of compliance in a standardized, repeatable process. Rather than answering the same control question multiple times, the Vendor provides a single response that is used for all Companies. In addition, all of the evidence is transmitted from the Vendor to the Company using encryption.
As the security program progresses, the Vendor can record and measure their progress along the way. Vendors who become “stuck” on a question or issue simply engage one of the Virtual CSO’s that are part of the ComplianceShield system. Using ComplianceSheild, the Vendor can dramatically reduce the time it takes to understand, implement and document their information security program.
Managing the Vendor Risk Portfolio
As each Vendor progresses on their information security program, the Company gets a real-time view into the progress of each vendor. A single report shows how far each Vendor has progressed, including the Cyber Risk Score of each vendor. Vendors who are stuck or have taken to action are easily identified. To view evidence, the Customer merely clicks on the Vendor within a report and can view the list of Evidence produced. All of this exchange of information is happening securely and in real-time over the web. Better yet, the format and types of answers are standardized across all of the Vendors.
At this point, the process can be reviewed and updated as needed. There is no need to send more spreadsheets the next year and get a different set of answers.
Benefits for Companies
As this process evolves, the Company has transformed its vendor risk management program from a manual, reactive process to an automated, active approach. All of the time and effort wasted on building, sending and collecting spreadsheets can be focused on true portfolio management.
Benefits for Vendors
For Vendors, once they have answered a Control Question once in ComplianceShield, it is automatically answers for all other Companies using the system. For example, a vendor must respond that they have Access Control in place on key systems, and that all Access is approved. Evidence (for example, the Access Control Policy) is submitted and tied directly to the Control. From this point forward, all Company assessments are automatically updated with the new evidence.
Using ComplianceShield for the vendor assessment process takes the hours and hours of manual work answering questions and frees the time up to actually work on improving the information security program.
Try it FREE
Request a Free Trial Now and begin to save thousands of dollars on your vendor risk management program.