Vendor Risk Management: Ten Frequently Asked Questions

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
Next Next

Timing

How long does it take to implement a VRM program?

This, of course, is variable. The first step you'll want to take when developing a vendor risk management program is to create a strategy. Once you have that in place, you can determine which method(s) you'll use to monitor your vendors' security positions. You have to determine which of your vendors present the most risk — in other words, which vendors have access to the most sensitive data — so that you can prioritize which vendors need monitoring based on level of risk. If you have a thousand vendors, but only 10 have access to your network or other sensitive information, you're going to want to know that.

This process, albeit critical, isn't easy or fast. If you're the person tasked with creating a list of these vendors, you'll have to first find the lists (keeping in mind that there are probably many lists throughout the organization), and then figure out how important each one is. You typically base this on conversations with different departments, or by researching what the vendor is actually doing for you. This process could take weeks or months.

After you've created your strategy, you'll need to review your existing contracts. This is a very lengthy process — it can also take weeks or months. Questionnaires can take a large chunk of time as well — you have to develop one (which can be done in-house, through a consultant, or via an option like Shared Assessments), send it to your vendor, give them time to fill it out, and then review it. Once you've sent it to your vendor, you can give them a time frame for completion, for example two weeks or two months.

As cyber threats become more sophisticated and complex, businesses need not only to ensure they are secure, but that their vital partners, suppliers and vendors are protecting themselves as well. According to the 2015 Verizon DBIR, 70 percent of observed cyber attacks involved a secondary victim. To avoid being blindsided, organizations are beginning to monitor the security of their third parties to reduce the likelihood of a data breach.

Gartner estimates that around 10 percent of companies have formalized IT risk management programs, but that the figure will grow to 40 percent by 2018. If you're just beginning to implement a vendor risk management (VRM) program, BitSight Technologies has identified 10 frequently asked questions to help you get started.

 

Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

 
More Slideshows

Security117-190x128.jpg 5 Steps to Protect Executives from a Whale-Phishing Attack

Whaling is a type of spearphishing targeting "big fish" in an organization with access to sensitive, highly-valuable information. ...  More >>

Security116-190x128.jpg 5 Common Failures Companies Make Regarding Data Breaches

Five common failures companies make when preparing for, and responding to, a data breach, as well as guidance for companies on how they can tackle these issues. ...  More >>

Security115-290x195 Data-Centric Approach Starves Data-Hungry Cybercriminals

Incorporating security capabilities such as encryption, better control and management and a data security framework will help alleviate the burden breaches place on the organization and people's lives. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.