What Is Vendor Risk Management and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

Manage Software Risk | Manage software risk at the speed your business demands.

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

API Security Testing | Manage software risks with a holistic API security testing program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source Security & License Management | Effective solutions for ensuring open source security and license compliance
Malicious Code Detection | What hidden threats are lurking under the surface of your code?
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

AppSec Program Strategy News | Get insights from Synopsys cybersecurity experts on building a security program.
DAST News | Expert insight on dynamic analysis (DAST).
IAST News | Expert insight on interactive analysis (IAST).
SAST News | Expert insight on static analysis (SAST).
Open Source and Software Supply Chain News | Discover open source and software supply chain risk management tips and best practices.
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices.
Security and Developer Training News | Articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition Analysis News | Expert insight on software composition analysis (SCA).
Security Risk News | Read the latest information on how to manage application security risks.
Security Research News | Get an analysis of today’s application security news and research.

Case Studies | Application security customer stories
eBooks | Browse the latest ebooks on software security trends and best practices
Glossary | Glossary of Application Security, EDA & Semiconductor IP terms
Reports | Browse the latest application security reports from Synopsys and industry-leading analysts.
Webinars | Browse the latest webinars on application security solutions, trends, and strategies.
White Papers | Access the latest white papers for technical knowledge on application security solutions.

Overview | Learn more about the Synopsys Cybersecurity Research Center.
Research | Access the latest first-party research and analysis from the Synopsys Cybersecurity Research Center.

Press Releases | Browse our most recent news releases.

Table of Contents

What is vendor risk management?
How does vendor risk management affect the vendor selection process?
How do you carry out a vendor risk management strategy?
What vendor risk management tools or resources can organizations use?
Why is third-party security important?
What risk management questions should you ask your vendors?
What to read next

Definition

Most organizations collaborate with vendors to reduce costs or create more efficient business operations. When an organization partners with a third party, there is often a great deal of confidential data that is shared with that vendor, and potentially to external parties. For this reason, vendor risk management is a highly important security topic that firms should account for in a security initiative.

Vulnerability risk management is the process of evaluating vendors prior to establishing a contract of the potential risks that an organization faces when transferring information and/or allowing a vendor to store your organization’s sensitive information.

If the personally identifiable information (PII) of your customers is accessed through your vendor network by hackers, it can cause legal, financial, and reputational risks for your organization. As such, organizations should get ahead of the risk and create a strategy that accounts for specific vendors with whom your firm works.

The strategy should outline:

What type of data you’re sharing with the vendor
How you are sharing that data
Who has access to this data
How that data will be stored
How that data will be destroyed
How frequently the auditing process takes place

How does vendor risk management affect the initial vendor selection process?

Selecting the right vendors to work with is a critical first step within the vendor risk management process. Before selecting a vendor, use due diligence to verify the following areas of the partnership (note that this list isn’t exhaustive):

Background
Performance history
Financial health
Market reputation
Policies in place within the vendor organization
Compliance
Stakeholders and board of directors
Civil or criminal lawsuits against your vendor or its stakeholders

Armed with this information, develop a risk assessment profile identifying the possible risks.

Next, establish a risk management strategy including the necessary steps to mitigate those risks. If your organization already has a strategy in place, note that you may need to add or modify a clause in the document for each vendor with whom you’d like to work. Once the strategy is in place, utilize it for a periodic vendor review.

How do you carry out a vendor risk management strategy?

These eight steps present a high-level overview of elements that make up a strong vendor risk management strategy:

List all vendors with whom your organization works. Prioritize these vendors based on how much of a security threat each poses to the organization. This allows you to best coordinate your internal resources to tackle the high and critical threats first.
Implement a security framework that maps to your organization. For example, if your business operates as part of the healthcare industry, the vendor must comply with the Health Information Portability and Accountability Act (HIPAA).
Prepare a contract outlining the business relationship between your organization and the vendor. This process will involve your legal team.
Create documentation of the vendor selection process and criteria, available vendor details, and audit reports of each review taking place at the vendor site.
Conduct a periodic review and audit of clauses included within the contract. Ensure they are met. These reviews ensure that the vendor meets regulatory compliance for your industry.
Collect fourth-party vendor details and perform an assessment of your vendor’s policies for its vendors.
Document risks identified during the process and proposed mitigation plan.
Educate employees involved in the process about the importance of the process and an assurance of a clear line of escalation for any red flags.

What vendor risk management tools or resources should organizations implement?

There are four items to consider within your organization to ensure a proactive vendor risk management strategy:

Prepare templates for questionnaires, checklists, and process documentation for use during the vendor risk management process.
If you don’t have skilled resources in your organization, outsource the requirement to firms that provide specialized services. These organizations can help you hone your risk assessment and risk management techniques.
Follow current best practices and compliance requirements. Some current best practice, compliance, and regulatory standards that are helpful as a reference include:
1. The Sarbanes-Oxley Act
2. The Gramm-Leach-Bliley Act
3. The Foreign Corrupt Practices Act (FCPA)
4. The Health Insurance Portability and Accountability Act (HIPAA)
5. The Payment Card Industry Data Security Standard (PCI DSS)
6. The UK Bribery Act
7. NIST 800-53
8. NIST Cybersecurity Framework
Gather as much information as possible about the vendor before building your strategy. This includes publicly available information relating to items such as physical verification, etc.

The focus of the strategy should be on improving the design and solving any problems along the way rather than collecting data. This will allow you to create a value-added ecosystem for you and your vendors.

Why is third-party security so important?

Statistics show that nearly two-thirds of security breaches originate from third parties. For example, in the December 2013 Target breach, the attack was enabled by an email phishing attack on an HVAC contractor. An employee of the contractor clicked a malicious link which ultimately led to the compromise of millions of credit cards. This is one of many examples highlighting why the security of your vendors directly affects your firm.

Vendors can improve credibility by having proper documentation and policies in place that are an auditing requirement. These firms should also educate all levels of employees of the importance of third-party security.

What risk management questions should you ask your vendors?

Provide a vendor risk management questionnaire to each potential vendor your firm is considering. The vendor risk management questionnaire should be detailed and granular. However, a selection of important questions to include in your list are as follows:

Do you have a cybersecurity policy and skilled resources within your organization? Have you used this policy to perform a cybersecurity assessment? Or, have you completed a similar assessment with a third-party organization? Please share the policy and your results.
Do you use tools to monitor your network and the software in use within your organization? Are employees free to download free or open source software without requiring permission? Please share a list of software and tools in use within your organization.
Do you have a disaster recovery strategy in place? If yes, have you ever used this strategy? Please share the strategy.
Do you have a list of vendors to whom you have outsourced services? Do you have a vendor risk management strategy in place for conducting risk assessments with vendors? Do you have a vendor risk management team? Please share your vendor list and details of your vendor risk management strategy.
As an organization, how do you ensure that your security guidelines (if applicable) are carried out throughout the SDLC? Does your firm conduct security testing or review of all products? Are your employees trained on security skills they can use while developing or testing?
What is your breach notification policy? Do you only notify the customer whose data has been breached? Or, do you notify all customers?