The vendor risk assessment is getting significant importance in today’s cyber security world. Vendor Risk Management (VRM) is the process to ensure the organization that their vendors does not create any loss to the business in any form (like financial loss, reputation loss, data loss etc.). This article describes the challenges faced during vendor risk assessment life cycle specific to the vendors and references based on ISO 27001 standards.
Why to implement vendor risk assessment?
One of the major problem areas of enterprise risk management is risk associated with vendor. Managing huge number of vendors and any other third-party relationships is difficult for any organization.
Many organizations are trying to reduce costs by outsourcing critical and non-critical processes and systems containing business related data. So more sensitive data is being processed and stored with third parties and the protection of such data is becoming a challenge for information security groups. For example, if you have outsourced the payroll service of your employees, there are chances that the supplier may know not only about your company processes but also have access to your confidential data like PII of employees. Hence the new 2013 revision of ISO 27001 has dedicated a section of Annex A related to vendor risk management.
Supplier relationship management based on ISO 27001: 2013 Standard
The following controls of ISO 27001: 2013 standard refer to the Supplier relationship management:
15.1.1 Information Security policy for Supplier relationships
The Information Security policy of the organization should address the processes and procedures to be implemented by the organization to mitigate the risks associated with the vendor such as defining types of vendors, documenting types of information access to different vendor etc.
15.1.2 Addressing Security within supplier agreements
Contractual agreements between the suppliers and the organizations should be documented to ensure that there will not be any misconceptions in future. For example, the organization may include legal and regulatory requirements, 'right to audit' clause, Terms & Conditions etc., in the contractual agreement.
15.1.3 Information and communication technology supply chain
Agreements with supplier should include requirements to address information security risks associated with Information and communication technology services such as monitoring process, defining rules for sharing information etc.
15.2.1 Monitoring and review of supplier services
The organization should monitor , review and conduct audits on supplier services at regular intervals to ensure that supplier is adhere to the terms and conditions as per the agreement. This can be achieved by monitoring performance level of the supplier services and by reviewing the internal audit trials of the supplier.
15.2.2 Managing changes to supplier services
Changes in supplier services such as updation of information security policy, use of new technologies/tools, changes to physical location, improvised services etc., should be managed by the organization.
Challenges during vendor risk assessment process
This section describes list of challenges during third party vendor assessment process.
Based on this assessment results, the organization can conclude that the supplier is compliant or non- compliant. The third party vendor may range from small size to large service providers. It is observed that the information security is not matured with small size enterprise and more specifically a vendor with single or double digit employee strength.
The small size vendors may not have appropriate policy and procedure documents. In addition to this the policy, procedure and standards documents may not be in standard formats. For medium and large scale vendors, multiple line of business units need to be involved during the assessment process, Non availability of functional or technology manager from different line of business may consume more time to complete vendor risk assessment process.
In some cases, the enterprise may have few documents that may contains entire information security policy and procedures to cover broader area of an enterprise. The policy and procedure documents may be old and not reviewed periodically and updated to address current threats.
When the vendor risk assessor performs the third party vendor risk assessment remotely, in certain cases, the vendors are reluctant to share their policy documents as an evidence and the assessor need to ensure that a Non-Disclosure Agreement (NDA) is signed with the third party vendor to be assessed due to confidential information involved during the assessment process.
As the business threats are constantly changing and during the assessment, the assessor need to spend long time with third party vendors as some vendors may not have reached maturity level of current information security and understands the current threats and it is especially true with small sized enterprise.
The third party vendor risk assessor would identify the gaps in the document process and operational process and advise the third party vendor to meet required complaint. Due to this 2 reason, the challenges discussed in the above section delays the completion of the third party vendor risk assessment.
Authored by Swetha Kopalle and Sumana Singaraju