Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

How to Fine-Tune Vendor Risk Management in a Virtual World

Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.

Vendor risk management is nothing new to most security and privacy professionals. Programs for managing vendors are typically well-established and have run like clockwork for quite some time — with many firms requiring their critical vendors to allow access for periodic on-site assessments of privacy, security, and other controls. But as with so many things this year, the coronavirus pandemic has brought well-oiled vendor risk management processes to a screeching halt. Now, without the ability to conduct on-site audits, many organizations lack their usual visibility to assess risk factors and validate whether their providers are doing all they have agreed to in their contracts and service-level agreements (SLAs). 

This is particularly concerning given that vendors and third-party providers are a prime source of breaches in security, privacy and/or compliance. Risk Based Security reported that the incidence of breaches, "involving companies handling sensitive data for business partners and other clients," rose by 35% from 2017 to 2019 and exposed 4.8 billion records last year. 

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Security and privacy professionals are well aware of the potential for exposure among their outside partners, which is why most follow the best practice of ranking their vendors on a hierarchy spanning low risk to high risk, with close attention, auditing, and on-site visits paid to the highest risk vendors. Even without on-site access, organizations still face the same risk management and regulatory obligations to monitor and ensure third parties are protecting their information. But obtaining a high level of assurance without seeing items firsthand is tricky. Organizations must now take their previous assessment plans and modify the testing steps to enable virtual assessments.

Here are some key considerations for making those adjustments. 

Start With a Review of Risk Rankings for All Third Parties
This will help determine if their rankings have changed as a result of the pandemic. Have any vendors missed SLA obligations? If so, a safe bet would be to increase their risk rating until there's visibility into the root causes for those slips in service. This step also includes examining the countries in which each vendor operates and how those countries have been affected by the events of this year. This may require engaging internal stakeholders that represent the user group to understand any service disruptions they have seen.

Update Previous Assessment Criteria
Updates will focus on additional or elevated risks that may have been introduced by remote workers at your organization, or your vendors' remote workers. Work-from-home conditions and supply chain impacts are two areas that should be looked at closely in today's risk assessments. Work-from-home conditions should focus on what measures the third party has put in place to ensure a secure work from home environment, including training on protecting sensitive information and security requirements for connecting to the network. Vendor resiliency — i.e., what third parties have done to stabilize their operations during the pandemic and what lessons they've learned along the way — should also be added to assessment criteria. 

Leverage Existing and Past Reports 
Everything from SOC 2 and other audits will help you understand where to focus scrutiny during assessments. Likewise, if you completed an assessment on a vendor within the past couple of years, it is likely many of the controls observed are still in place. While this does not remove the need to test the controls, it can provide a higher level of assurance for controls that can't be validated remotely.

Use Collaboration Tools
Collaboration tools will let you verify controls and how training systems are managed and tracked. Live demos of key systems and video tours of critical areas and materials can provide sufficient alternatives to in-person visits. Ask your vendor to provide you with insight into its change management tools, including ticketing systems, and use secure portals for sharing policy documents and evidence, so you can gain a more comprehensive picture of the vendor's internal procedures. 

Establish Ongoing Monitoring for Key Service and Compliance Metrics
Pay close attention to red flags, including SLAs as well as data breaches and any gaps in vendors' business continuity. 

Increase Sample Sizes 
It's especially useful to look at broader time frames for higher-risk areas. This will help ensure the process or control being evaluated has been in place and is operating effectively and consistently for an extended duration — particularly during the pandemic. 

Someday, we'll return to a version of life as we knew it, and in-person visits will resume. But until then, remember that risk of a business and/or vendor failure is higher in our current environment than it is in typical circumstances. Organizations need a contingency plan for various scenarios, including exposure due to third-party actions (or inactions) and in the event that a high-risk third party fails. Be ahead of and prepared for these scenarios by establishing strong incident response, developing plans for moving systems in-house or to alternate providers as needed, and maintaining continuity for ongoing and robust risk assessments. 

Ryan Smyth, Managing Director, FTI TechnologyRyan Smyth is a Managing Director in FTI Consulting's Technology segment. He advises clients on a wide range of regulatory and compliance issues, with a specific focus on privacy, information security, data governance and business ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...