Vendor Risk Management (VRM), also referred to as Supply Chain Risk Management (SCRM), is the process of managing third-party products and services. VRM ensures that the outsourcing of key business functions, such as IT, does not result in disruption of business operations. As we continue to move into the cloud and companies continue to rely on other partners for key functions, they must understand and manage the risks external entities pose to their organization.
The concept of a VRM program is not new, but it continues to be a challenge for almost all organizations. Managing the supply chain becomes more difficult as the organization grows, becomes more complex, and the reliance on outside vendors becomes a necessity. With the growth of both complexity and necessity, it becomes even more important to manage the risk that vendors pose to your organization. Depending on your organization, the risk vendors pose can range from minimal to catastrophic should an event occur.
Not an Exact Science
Even with the most stringent VRM program, you cannot prevent all risks that a vendor poses to your organization. Case in point SolarWinds. I’m sure all of you have heard of the SolarWinds breach and media frenzy that followed, but for those of you that did not, here is a short synopsis.
SolarWinds is a technology company that sells network monitoring software. At the end of 2020, it was discovered that hackers were able to gain access to the SolarWinds update servers as far back as 2019, compromise the updates that were being sent to its customers and, by proxy, compromise the customers as well. In this situation, not only was SolarWinds compromised but so were many of SolarWinds’ customers. The list of customers affected by the SolarWinds compromise is extensive and includes many Fortune 100 companies and US Government agencies. What does VRM have to do with the SolarWinds breach? It can be assumed that many, if not all, of these organizations have a VRM program in place and were still affected by this compromise, so a VRM program alone cannot prevent all risks from third-party vendors. VRM cannot completely remediate vendor risk, but when VRM is combined with other security tools, processes, and procedures, it can significantly reduce the risk. In the case of the SolarWinds compromise, there is little that could have been done to prevent this situation due to the complexity and nature of the compromise.
The Key to VRM
Implementing a VRM program is not as simple as asking questions and implementing new processes and procedures. Depending on the size of the organization and the number of third-party vendors, a VRM program can be quite an undertaking. Below are a few items that may help you implement a VRM program.
- Develop a policy
- As with everything security, a good VRM program begins with a policy to guide the program.
- This policy will be a high-level guide for your VRM and provide guidance for how VRM will be addressed
- Implement a Vendor Selection Process
- Thoroughly vetting each vendor is critical to a VRM program. It is essentially weeding out the vendors that do not meet the security standards of your organization
- During this stage, an RFP may be issued
- Vendor comparison and proof of concepts will take place at this stage
- The risk assessment should be complete at this point
- Establish Contractual Standards. Contracts should:
- Clearly define the Scope of Services provided by the vendor
- Clearly define Service Level Agreements (SLA)
- Clearly define communication expectations for security incidents and data breaches
- Periodic Due Diligence – Reviewing your existing vendors
- Simply by establishing a VRM you have taken the first step to perform Due Diligence
- Make a list of vendors include points of contact and contract expiry information
- Review vendor financial statements when they are released. Poor financial statements tell a story
- Request and review vendor SOC reports
- Complete annual risk assessments
- Internal Risk Management and Audit Process
- Perform your own risk assessment and include your vendors in that assessment
- Leadership acceptance
- Leadership must understand the need for the VRM program and its importance to the organization
- Leadership must also understand that the vendor selection process is not quick or simple
Vendor Management - Conclusion
VRM programs are not a fail-safe against a compromise or breach. That’s why we stress the importance of combining your VRM with other security tools, processes, and procedures to reduce your risk. A VRM program will also address the risk of external vendors and hold your vendors accountable should an event occur. Cybercriminals are only getting more advanced as time goes on, so we must always ensure we’re one step ahead of them.
Written by Nathan Rice
Nate has fifteen years of IT experience spanning a variety of domains with a focus in defensive security. Nate currently holds the following certifications: CEH, CompTia Security+ and CompTia A+. Prior to TechGuard Security, Nate was a Senior IT Security Engineer at a Fortune 100 organization. As a Security Engineer, Nate focused on new technology integration and implementation. Along with a variety of application administration roles in security operations, his past project work includes, Implementation of a DLP Program, Single Sign On Program and Multifactor Authentication. At TechGuard Security, Nate conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Nate’s focus is on customer service and support, as well as providing customer solutions to complex IT security challenges. When not working or studying Nate enjoys being outdoors and spending time with his wife and kids.