What Are Vendor Reviews?

What Are Vendor Risk Reviews?

A vendor risk review (a.k.a risk assessment) helps you understand the risks that exist when using a vendor’s product or service. Performing a risk review is especially critical when the vendor will be handling a core business function, will have access to customer data, or will be interacting with your customers.

Vendor risk reviews are not only critical when bringing on a new vendor but are also needed to ensure that the vendor is maintaining expected quality standards without causing any risks to the company, investors or your customers.

The goals of a risk review are to:

  • Identify any risks the vendor will pose
  • Evaluate if the vendor is able to eliminate those risks
  •  Monitor the risks that cannot be eliminated
  • Assess the extent that any outstanding risks may bring to the company
  • Determine if your company is willing to accept those risks

Risk assessments are typically a series of questions (or a risk matrix grid), and the answers to those questions result in an overall point value, which then identify the vendor’s risk level. A common risk level breakdown is: Low, Medium and High.

When To Perform Vendor Risk Reviews

Initial Risk Review

Risk reviews should be introduced to vendors during the Request For Proposal (RFP) process. Depending on your current RFP process, you may be able to embed your risk review assessment into the RFP. The risk review should also be used to gauge the vendor’s ability to be accurate and timely with their responses, especially providing documents you request. Everything at this point should be monitored closely, as the vendor’s performance at this stage will likely have a strong correlation to future performance.

Red flags to look out for during the risk review that could remove the vendor from consideration:

  • Does not provide any processes for safeguarding confidential data
  • Does not perform risk assessments internally
  • Does not have a formal security policy
  • Does not perform security checks across all functionality
  • Does not have a disaster recovery/pandemic plan

Ongoing Risk Reviews

I have found that the best time to perform the risk review is 180 days prior to the renewal notification notice. This normally gives ample time to identify any changes to the vendor’s risk level and lets your company respond appropriately.

It has been my experience to allow 10 business days when sending the review to the vendor to complete. Once the review is back in-house, it should only take a few hours for the VMO to review and upload the data into a vendor management software system to identify the risk levels. At this point, you can also compare the current review to the vendor’s previous reviews and spot any trends.

How Often Should Ongoing Reviews Be Conducted?

Reviews should be performed according to the vendor’s current risk level, such as:

  • Low risk vendors  Annually/bi-annually
  • Medium risk vendors  Semi-annually/annually
  • High risk vendors  Quarterly/semi-annually

You may also review the vendor more frequently than normal if any of the following indicators exist:

  • The vendor has been in business less than 3 years
  •  Items discovered in the last review need to be monitored
  • Vendor files bankruptcy
  • Vendor layoffs
  • Lawsuits that include the vendor
  • Negative press releases concerning the vendor
  • Lowered ratings by agencies (BBB, Fitch, S&P, Moody’s)
  • Increased vendor incidents or non-resolution of vendor incidents

Who Handles the Review?

The Vendor Management Office (VMO) should be in charge of managing the vendor risk review process. By its nature, the VMO should provide the most non-biased view of the vendor, which is critical since vendor’s risk level classification will dictate how the vendor is managed throughout the relationship.

  • If the VMO finds any high-risk items on the assessment, it should engage the business owner and any other key parties. The result of this discussion can either be:
  • The decision maker accepts the high risk level and the vendor risk review is considered complete

The decision maker does not sign off:

  • The VMO creates an incident for each question that is labeled high-risk
  • The VMO discusses the high-risk items with the vendor and formulates an action plan for the vendor to complete
  • Once those risks are mitigated the VMO will complete a new risk review to show the changes
  • The revised review is then brought back to the business owner for final sign-off

Base the Review on the Type of Vendor

It is best to create risk reviews based on the services the vendor performs; not every vendor should be subjected to the same review form. Always keep in mind the vendor size and the risk the vendor poses to your organisation — too many reviews could damage the relationship with the vendor.

Below are five common vendor types that can be used to help shape your risk review efforts:

§  Essential Services — the vendor handles customer data and customer interaction

§  Customer Facing — the vendor interacts with customer without handling customer data

§  Customer Data — the vendor handles customer data without customer interaction

§  Back Office — the vendor supports core services but has no customer interaction/data

§  Non-Essential — the vendor does not provide core services or core product

Risk Areas to Focus On

The table below shows a list of risk areas that your assessment may focus on, and which vendor types are applicable to each area.

Risk Area to Focus On

Vendor Type

Handling of incident security. A process of how the vendor handles incidents where security has been breached.

All vendor types

Environmental security. A safeguard to monitor and protect access to the vendor’s buildings and ensure the environment is monitored and secure, along with ensuring visitors are monitored while inside of secure areas.

All vendor types

Organizational security. A process to ensure the vendor has a policy and program in place with a governance committee that oversees and audits all facets of security to protect the vendor and its clients.

All vendor types

Human Resource (HR) security. A procedure where all employees and contractors are trained on handling customer information, safeguard it and how to handle breaches of the procedure.

All vendor types

Pandemic readiness. A documented strategy for business continuity in the event of a widespread outbreak of disease that shows how what support the vendor is able to provide during such an incident.

All vendor types

Disaster recovery. The process, policies and procedures for recovery or continuation of core technology infrastructure after a natural disaster.

All vendor types

Handling data (hard and soft copy). A documented process that describes how to handle both electronic and paper files throughout the cycle of that document including destruction documents.

Essential Services & Customer Facing

Customer interaction processes. A defined process on how to interact with the customer that will meet the client’s expectations along with any regulatory guidelines that must be followed.

Essential Services & Customer Facing

Physical security. A procedure that defines the security of the building, both offices and data center to include how to handle visitors, access into buildings and surveillance.

All but Non-Essential

Asset management. A process of operating, maintaining, upgrading, and disposing of assets such as computer equipment, company phones or anything of value.

All but Non-Essential

Communication. Defines communication processes.

All but Non-Essential

Access controls. A defined process to the selective restriction of access to the vendors computer systems either internal or remotely.

All but Non-Essential

Example of a Vendor Risk Questionnaire

Below is a sample risk review form. Please consider it a template that you can tweak to meet your specific needs.

 

Vendor Response & Risk Rating

Risk Questions

Low

Medium

High

Do you have an internal Risk Assessment program?

Yes

 

No

What is the frequency of performing Risk Assessments?

Yearly

> 1 year

Never

Does your company have procedures employed to ensure compliance with privacy laws/regulation requirements related to maintaining security, confidentiality and protection of customer data?

Yes

 

No

Is there a designated Information Security team within the organisation?

Yes

No

 

Does management require the use of confidentiality or non-disclosure agreements?

Yes

 

No

Is access to, non-public information provided to external parties?

Yes

No

 

Is there an asset management policy?

Yes

 

No

Do all employees and contractors sign agreements that pertain to non-disclosure, confidentiality, acceptable use or code of ethics upon hire?

Yes

 

No

Does the security awareness training include a testing or a certification of completion?

Yes

 

No

Is there a documented termination or change of status policy that specifically identifies which departments to notify for removal of access to systems and the building?

Yes or N/A

No

 

Are visitors required to sign in, wear a visitor badge and have a employee escort them in the building at all times?

Yes

No

 

Are there badge readers at all entries into the business?

Yes

 

No

Are there printers in a non-secured area that are allowed to print non-public data?

Yes

 

No

Are operating procedures documented, maintained, and made available to all users who need them?

Yes

 

No

Are system changes performed in a test region?

Yes

No

 

Do third party vendors have access to Client’s non-public data (i.e. contractors, subcontractors, service providers, etc)?

Yes

No

 

Are workstation scans scheduled daily?

Yes

No

 

Is there a Network Intrusion Detection/Prevention System?

Yes

 

No

If Instant Messaging is used, is communication limited and blocked to internal employees?

Yes or N/A

 

No

Do freeware or shareware applications require approval from security prior to installation?

Yes

No

 

Are inactive userID(s) deleted or disabled after a certain period of time?

Yes

No

 

Do all users have a unique userID when accessing applications?

Yes

 

No

How often are passwords reset?

90 days

90+ days

When user requests

Is there a policy to prohibit users from sharing passwords?

Yes

 

No

What is the limit of unsuccessful login attempts before the account is locked?

Up to 3

Up to 6

6+

When upgrades are done, does the Client have full access to the system during this process?

Yes

 

No

Is there a documented Incident Response Plan?

Yes

 

No

Are the procedures tested at least annually?

Yes

 

No

Is there an organisational data protection and privacy policy?

Yes

 

No

Does your company have a compliance and ethics training program for all employees?

Yes

No

 

 

Author: Paul Boone

No Comments Yet.

Leave a comment