Vendor/Partner IT Risk Management
Organizations increasingly rely on hundreds, even thousands of vendors, partners, outsourced service providers and other members of the business ecosystem to compete. However, these vendors and partners have access to much of the same data as regular employees do. Sensitive and proprietary data is often transmitted, stored and processed among a wide range of vendor and partner networks, outside the influence of any one organization’s internal controls and security policies.
The PCI DSS is perhaps the best known partner risk assessment mandate today. The success of this privately promulgated mandate is unprecedented in its global reach and highly regarded for its clarity of requirements relative to many regulations.
Regulators also acknowledge the critical role vendors play and explicitly require that corporate control activities extend to vendors, outsourcers, contractors and consultants. Provisions for robust vendor risk assessment and management are mandated by SOX, GLBA and HIPAA, among others.
The Challenges
Vendor and partner assessments are typically performed using questionnaires and surveys, supplemented with evidence from scanners and other security tool reports and on-site audits. Challenges often arise because:
- Too many teams asking questions – SOX, PCI, SAS70 auditors each can require vendor assessments
- Lack of clarity in questions and requirements – especially given the sensitivities associated with risk assessment information passing between two organizations
- Manual processes that don’t scale – to hundreds or thousands of assessments as is often required; email, spreadsheets and Word documents have specific limitations
The Solution
Agiliance IT-GRC 3.0 overcomes these challenges by automating the process from survey creation, workflow progress monitoring, data consolidation and rollup, and adaptable reporting. Specific features include:
- Consolidated survey assessment questionnaires from various compliance teams
- Best practices and standards for efficient development of questionnaires including the BITS' FI-SAP Standard Information Gathering (SIG) questionnaire
- A web-based portal and a central collection database for efficient entry of information and centralized analysis and correlation
- Workflow monitoring from survey distribution to asset owners, progress tracking, reminders and management escalation when required
- Consistent, automated classification, and risk and compliance scoring of vendor responses
- Context-specific questionnaire guidance and reference links
- Attachment of evidence reducing the need for on-site inspections
- Integration of data from automated testing of technical controls, if available
- Tracking and timely completion of remediation steps, if required
Benefits
- Timeliness and accuracy – assessments are completed in half the time and done right the first time.
- Salability – organizations can at last assess all their many vendors with no staff increase.
- Consistent and actionable data – consistent risk scores allow organizations to compare vendors, verify performance against contract, identify and prioritize follow up with vendors that present the highest risk.
- Need-based access to results – compliance managers, risk managers, business owners, etc. as well as vendors themselves receive the information they need to do their job.
- A holistic view – of the organization's risk and compliance status that integrates external vendor measurements with internal measurements.
- A win-win professional relationship with vendors – with a shared understanding of goals and of achieving and sustaining compliance at lowest costs for both.