Vendor risk assessments are a critical component of third-party risk management programs. When you use third-party solutions and services, you should understand the risks they can bring.
Your vendors’ risks are your own. These risks may relate to cybersecurity, compliance, operations, finance, or reputation. Conducting assessments can help you to reveal and remediate these risks throughout the vendor lifecycle.
Vendor risk assessments let your organization proactively identify and mitigate third-party risks to be better prepared when incidents do occur. Well-managed assessments strengthen vendor relationships, demonstrate proper due diligence to regulators, and shed light on best-practice security controls.
In this Article
什么是供应商风险评估?
A vendor risk assessment is a process companies use to evaluate potential risks when working with third parties such as vendors, suppliers, contractors, or other business partners. It involves assessing risks during different stages of the vendor lifecycle, from sourcing and selection to offboarding and termination.
评估通常包括收集有关供应商的安全、隐私控制、财务和运营数据以及政策的信息,通常通过问卷调查进行。然后根据严重性、可能性和其他因素对确定的风险进行评级。评估结果通常与监管要求、合规标准和安全框架(如 ISO 和 NIST)相对应。
在供应商管理生命周期的不同阶段,供应商风险评估关注各种因素,包括
- During onboarding, as due diligence to gauge inherent risk before granting access to critical systems and data
- 定期检查服务水平协议、评估合同遵守情况或满足审计要求
- 在离职期间,确保终止系统访问,并根据规定保护或销毁数据
- 在事件响应期间确定安全漏洞的潜在范围和影响
Why Vendor Risk Assessments Matter
Third-party incidents don’t stay third-party for long. Supply chain disruptions, ransomware attacks, and vendor failures have repeatedly translated into operational breakdowns, regulatory scrutiny, and financial losses for the organizations downstream. Organizations with mature third-party risk management programs are consistently better positioned to contain the damage, not because they prevent every incident, but because they’ve already mapped the exposure.
Implementing third-party risk assessment workflows that focus on operational risks, business continuity, and security risks enables your organization to streamline procurement processes, improve supply chain resilience, and satisfy compliance audits. What’s more, the cost to build and maintain a strategic third-party assessment practice is far less than the potential damage high-risk vendors can cause.
What Are the Different Types of Vendor Risk?
There are three primary types of risk when dealing with third parties: profiled risk, inherent risk, and residual risk. Here is a brief breakdown of the three:
- Profiled Risk relates directly to the vendor’s relationship with your organization. Certain vendors pose more risks. For example, a credit card processing company likely poses more risk to your organization than a digital advertising agency. Organizations with a higher level of profiled risk require extra scrutiny during vendor selection.
- Inherent Risks refer to risks that the vendor poses due to its own information security, operational, financial, and other business practices prior to implementing any controls required by your organization. Determining a potential vendor’s inherent risk score requires a combination of detailed vendor assessment questionnaires and external threat monitoring.
- Residual Risk is the level of leftover risk once the organization in question has implemented your organization’s mandatory controls. Residual risk can never be eliminated, but it can be brought to a level that the organization deems acceptable.
How Do You Score Vendor Risk?
The basic calculation for scoring vendor risk is Likelihood x Impact = Risk. For example, let’s say a hospital vendor is processing large amounts of protected health information (PHI) but does not comply with HIPAA. Under HIPAA, this vendor would be classified as a business associate and fall under the same regulatory scrutiny as the healthcare provider.
In this case, the impact is a large fine to both the healthcare provider and the business associate (major or severe), and the likelihood that regulators will discover the non-compliance is high, making this an unacceptable risk for any healthcare organization.
上述例子强调了进行全面供应商风险评估的重要性。这对于处理大量敏感数据的组织(如政府承包商和医疗保健提供商)来说更为重要。在许多情况下,HIPAA 等法规会要求主要组织对供应商的违规行为负责。
How to Conduct a Vendor Risk Assessment: Step-by-Step
-
Assemble Internal Stakeholders
The most successful vendor risk assessment programs are cross-functional. Stakeholders across the organization bring different priorities to the process, and all of them matter:
角色 优先事项示例 风险管理 将供应商评估与更广泛的组织风险管理计划相统一,并将第三方风险数据与 GRC 平台相整合。 采购 寻找低风险供应商,开展合同前尽职调查,评估供应商绩效,确保履行合同义务。 安全和信息技术 识别、分析和补救与第三方有关的网络安全风险。 审计与合规 根据政府法规和行业框架,了解并报告供应商风险。 数据隐私 确定哪些供应商处理私人数据,进行隐私影响评估,并根据隐私合规要求进行报告。 Assembling a cross-functional team to plan and guide your assessment program will help to ensure its organizational adoption and long-term success.
-
确定可接受的残余风险水平
In a perfect world, risk could be eliminated entirely. Unfortunately, when working with any third party, there will always be some element of risk. Before assessing potential vendors for a project, you need to define what level of risk is acceptable. This can make vendor selection and the entire third-party risk management process faster, more efficient, and more uniform.
This enables you to easily identify vendors that clearly won’t meet your business objectives and risk tolerance. In addition, it can help clarify which controls you need to require of vendors before working with them.
-
Build Your Vendor Risk Assessment Process
实施具有标准化控制和要求的流程。然而,供应商风险评估没有放之四海而皆准的方法。不同的供应商会给企业带来不同程度的风险,具体取决于以下因素:
- 它们对供应链的重要性,特别是如果它们是单一来源或唯一来源供应商。
- 访问敏感数据,如个人身份信息 (PII)、受保护健康信息 (PHI) 或商业敏感信息 (CSI)。
- 易受自然灾害或地缘政治冲突等干扰的影响。
Begin with an internal profiling and tiering assessment to categorize your vendors and determine the type, scope, and frequency of assessment needed for each group. For instance, vendors critical to your business and with high-risk potential (e.g., accounting firms or sole-source suppliers) require more thorough due diligence than those with lower-risk profiles (e.g., advertising firms).
为每个供应商类别制定结构化流程,可提高第三方风险管理计划的效率,并帮助您就供应商关系做出更好的基于风险的决策。
-
Send Vendor Risk Assessment Questionnaires
下一步是为每个供应商或每类供应商选择和发送风险评估问卷。问卷调查提供了一种基于信任的方法来收集有关每个供应商内部控制的信息。问卷可涵盖各种主题,包括信息安全实践、合规要求、财务稳定性以及第四方和第 N 方供应商数据。
Selecting a questionnaire: One of the biggest choices companies face when selecting questionnaires for their primary risk assessments is whether to use an industry-standard questionnaire, such as the Standard Information Gathering (SIG) questionnaire, or a proprietary questionnaire.
In some cases, your third parties may already have an information security certification, such as CMMC or SOC 2. You may accept these certifications instead of requiring an assessment response or supplement them with proprietary and/or ad-hoc assessments to gather information about specific controls or potential risks outside of cybersecurity.
Choosing a framework: Many organizations choose to employ frameworks when designing their vendor assessment questionnaires, such as the NIST Cybersecurity Framework, ISO 27001, and NIST 800-30, to ensure that questionnaires are standard across the supply chain and reflect best practices.
If you require your suppliers to be compliant with specific regulations such as the GDPR or PCI DSS, it may be worth incorporating questions around those standards directly into your vendor risk management program.
-
Complement Assessments with Continuous Risk Monitoring
Cybersecurity vulnerabilities, supply chain challenges, and compliance requirements evolve continuously. Therefore, be sure to conduct continuous risk monitoring to catch any cyber, business, or reputational risks that arise between your periodic vendor assessments. You can also use risk data to verify that a third party’s assessment responses are consistent with their real-world business activities.
Vendor data breaches, exposed credentials, and other cyber risks: Third-party data breaches, ransomware attacks, and other cyber incidents are constant and pervasive threats to organizations today. Therefore, conducting external monitoring of cybersecurity risks across your vendor ecosystem is critical.
Key risks to look out for include:
- 凭证风险
- 数据泄露和确认事件
- 网络应用程序配置错误和漏洞
- 拼写错误和其他品牌威胁
Supplier finances, business practices and reputation: While third-party breaches and cybersecurity incidents tend to monopolize the headlines, a supplier’s financial failure, operational disruptions, or bad press can have serious implications for your business. These “non-IT” risks also extend to environmental, social, and governance (ESG) challenges, like modern slavery, bribery/corruption, and consumer protection issues.
查找可能预示着问题的新闻报道、财务信息和第四方关系。检查供应商的商业惯例、原材料采购以及其他可能对企业声誉或道德造成影响的关键业务流程。此外,询问使用第三方产品和服务的参考客户和合作伙伴。与推荐人交谈,进一步了解第三方按照服务水平协议(SLA)和其他合同义务进行交付的能力。
Selecting a Monitoring Strategy: From open-source intelligence to public websites, there is no shortage of places to find intelligence on your third parties. However, building a comprehensive and efficient monitoring program from scratch can be difficult. Many companies leverage automated vendor threat monitoring software for risk identification and scoring.
-
Categorize and Remediate Risks
风险可分为可接受风险和不可接受风险。不可接受的风险必须在与供应商合作之前进行补救。第三方风险的补救措施有多种形式。企业可以选择要求潜在供应商获得 SOC 2 等安全认证,停止与第四方和第 N 方供应商的关系,或改变可能导致供应链或其他中断的业务实践。
In addition, organizations should have a third-party incident response strategy in the event that a vendor suffers a data breach or other disruption. Having a defined strategy for dealing with risks that materialize can dramatically cut down on the time it takes to mount an effective response and reduce disruption to your organization.
如何启动供应商风险评估计划
许多公司在启动评估计划时都会犯一个错误,那就是依靠电子邮件和电子表格来完成工作。除非您只与少数几家供应商合作,否则这种手动的评估方法可能会成为审计人员和供应商的噩梦,同时几乎无法提供有用的数据。
If you’re looking to launch an assessment program, a great place to start is by subscribing to a vendor intelligence network, which offers access to a library of vendor risk reports based on standardized assessment data. Then, for increased customization and control, consider an automated vendor risk assessment solution that enables you to conduct and manage your assessment initiatives. Or, if you prefer a more hands-off approach, a managed service provider can conduct assessments on your behalf.
常见问题
What is a vendor risk assessment?
A vendor risk assessment is the process of evaluating the risks a third-party vendor poses across cybersecurity, financial, operational, and compliance dimensions. It is conducted at multiple points in the vendor lifecycle, not just at onboarding.
What is the difference between a vendor risk assessment and vendor due diligence?
Vendor due diligence is a one-time pre-contract evaluation. A vendor risk assessment is an ongoing process conducted at multiple stages of the vendor lifecycle. Due diligence establishes a baseline; vendor risk assessment maintains it.
How often should vendor risk assessments be conducted?
Critical and high-risk vendors should be assessed annually or after significant incidents. Medium-risk vendors typically require reassessment every one to two years, and low-risk vendors every two to three years or at contract renewal. Continuous monitoring supplements all periodic assessments.
What is a vendor risk assessment template?
A vendor risk assessment template is a standardized document for evaluating third-party risks consistently across all vendors. It typically includes sections for vendor information, risk categories, scoring criteria, and remediation tracking. Download Mitratech’s vendor risk assessment template to get started.
Editor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has since been updated to include information aligned with our product offerings, regulatory changes, and compliance.
