Vendor Review

Nowadays, there is a plethora of vendor tools, services, and products that exist for almost every business requirement and focus area of an organization, and it is often easier, and more cost effective to use a vendor’s established product or service rather than spending the time and money developing your own.

However, using one of these tools means convenience but not an omission of accountability. You, as the organization, are still responsible for ensuring that the service provided by the vendor supports the meeting of the business objectives, and does so securely and appropriately. 

Why is 3rd party vendor management important?

A vendor review should be performed prior to entering into any contractual agreement with a vendor, as well as on an ongoing basis (annually, for example), to ensure that the service offering and product is still aligned to the organizational requirements, and will not cause any risks to the organization, investors or your customers.

What is 3rd party vendor management?

A vendor risk assessment helps you and your organization understand the risks that may arise when using, or planning to utilize, a vendor’s product or service. 

The goals of a vendor performance review are to:

• Identify any risks the vendor will pose
• Evaluate if the vendor is able to eliminate those risks
• Monitor the risks that cannot be eliminated
• Assess the extent that any outstanding risks may bring to the organization
• Determine if your organization is willing to accept those risks
• Identify if the vendor service offering is ultimately aligned to the requirements of the organization

The vendor review process:

Vendor reviews typically involve a series of questions. The answers to those questions result in an overall score, which then identifies the vendor’s risk level.

When performing the review of a vendor, there are different ways to go about it, and the approach should be aligned with the criticality and service provided by the vendor.

For example, when reviewing a vendor that will perform and function as your primary vendor cloud provider IaaS (such as AWS, MS Azure, or GCP), it would be appropriate to do a full vendor review of the SOC 2 report of the vendor rather than a high-level risk assessment. This is because the vendor will perform critical business functions, and you need to be aware of how their product and services align and support the requirements of your business.

A vendor that will provide a non-critical service may not require as in-depth a review, and a security questionnaire that is provided to, and completed by the prospective vendor, may also be appropriate.

In many instances, an organization may be planning to enter into an agreement with a well-established, reputable vendor such as a GitHub, GitLab, Jira, SentinelOne, etc, and by doing so would be receiving the ‘standard’ product offering. In such cases, it may be appropriate to review the publicly available terms of service of the organization and identify alignment of the controls to the requirement of the organization.

Initial vendor review

Vendor management should be introduced during the Request For Proposal (RFP) process. Depending on your current RFP process, you may be able to embed your risk review assessment into the RFP. 

Some considerations during the review that should raise concerns include if the vendor under review:

• Does not provide any processes for safeguarding confidential data
• Does not perform internal risk assessments 
• Does not have a formal security policy
• Does not perform security checks across all business areas
• Does not have a disaster recovery plan

Ongoing vendor review

Vendor management should be performed according to the vendor’s current risk level, such as:

• Low risk vendors → Annually/bi-annually
• Medium risk vendors → Semi-annually/annually
• High risk vendors → Quarterly/semi-annually

At this point, you can also compare the current review to the vendor’s previous reviews and spot any relevant trends.

 Review and type of vendor

It is best to create vendor reviews based on the services the vendor performs; not every vendor should be subjected to the same review form. Always keep in mind the vendor size and the risk the vendor poses to your organization — too many reviews could damage the relationship with the vendor.

Below are five common vendor types that can be used to help shape your vendor review process:

• Essential Services — the vendor handles customer data and customer interaction
• Customer Facing — the vendor interacts with customer without handling customer data
• Customer Data — the vendor handles customer data without customer interaction
• Back Office — the vendor supports core services but has no customer interaction/data
• Non-Essential — the vendor does not provide core services or core product

Vendor risk management: risk areas

The following list shows risk areas that vendor reviews may target and which vendor types are applicable to each risk area:

• Organizational security – All vendor types
• Environmental security – All vendor types
• Handling of incident security- All vendor types
• Human Resource (HR) security – All vendor types
• Disaster recovery – All vendor types
• Handling data – Essential Services and Customer Facing
• Customer interaction process – Essential Services and Customer Facing