What Is Vendor Risk Management and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | All-in-one cloud-based AppSec platform with Polaris
AppSec IDE Plug-ins | Secure code as you write it in your IDE with Code Sight
Software Risk Management | Correlate and prioritize AppSec risks with Code DX
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Find vulnerabilities in proprietary code during development with Coverity
Software Composition Analysis (SCA) | Find vulnerabilities in open source and 3rd party components with Black Duck SCA
Interactive Analysis (IAST) | Find and verify vulnerabilities during build and QA with Seeker IAST
Dynamic Analysis (DAST) | Automated web application security testing in production with WhiteHat Dynamic
Penetration Testing | Find business logic errors before hackers do
Protocol Fuzzing | Discover unknown vulnerabilities to prevent zero-day attacks with Defensics Fuzz Testing

Program Strategy & Planning | Measure, scale and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Education on coding basics and advanced skills to build secure code
Implementation & Deployment | Optimize utilization, management and deployment of tools
Security Testing Services | On-demand security testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A with Black Duck Audit Services

Manage software risk at the speed your business demands | automation with Genetec & Mateso

Dev and DevOps Teams | building security into your software development lifecycle (SDLC)
Security Teams | Are your AppSec tools, programs, and people equipped to secure all that software?
Legal Teams | Solutions to protect your IP, manage your risk

API Security Testing | with a holistic API security testing program
Application Security Testing | at every stage of the application life cycle
DevSecOps | Synopsys solutions help shift security left without slowing down your development teams
Software Supply Chain Security | Synopsys solutions help you identify and manage software supply chain risks end-to-end
Cloud & Container Security | secure deployment and operation in the cloud
Open Source Security & License Management | security and compliance for open source
M&A Due Diligence | identify software risks that could negatively impact the value of acquired IP
Quality & Security Standards Compliance | demonstrate compliance with specific standards to maintain customer trust and avoid legal or regulatory penalties

Financial Services | protect sensitive customer and financial data from rapidly evolving security threats
IoT & Embedded | ensure your embedded and IoT devices are safe, secure, and reliable
Automotive | build software security & reliability into the modern connected car
Telecommunications | we help you create seamless and safe mobile experiences, from silicon to software
Aerospace & Defense | solutions for automating mission-critical development
Public Sector | application security for government agencies and their suppliers
Medical Device | ensure your medical devices and applications meet patient expectations and comply with regulations

AppSec Program Strategy News | Get insights from Synopsys cyber security experts on building a security program
DAST News | articles about how to apply DAST effectively across your application portfolio
IAST News | articles from Synopsys cyber security experts to learn how IAST tools can grow with your needs
SAST News | articles from Synopsys cyber security experts to learn how to leverage SAST
Open Source and Software Supply Chain News | Discover supply chain risk management best practices from Synopsys cyber security experts
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices, from Synopsys cyber security experts
Security and Developer Training News | articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition News | Read SCA articles to learn how to manage the security, license compliance, and code quality risks that arise from open source in apps
Secure Software Development News | Read related articles from Synopsys cyber security experts
Security Risk News | Read articles from Synopsys cyber security experts to learn how to manage security risks
Security Research News | Get an analysis of today’s application security news and research from Synopsys cyber security experts

Case Studies | Application Security Customer Stories
eBooks | Discover the latest software security trends and best practices to ensure security in a DevOps environment while maintaining developer velocity
Glossary | Glossary of Application Security, EDA & Semiconductor IP
Reports | Discover the latest application security trends and best practices to ensure security in a DevOps environment while maintaining velocity
Webinars | latest & upcoming Synopsys Webinars
White Papers | Discover industry best practices to ensure security in a DevOps environment while maintaining developer velocity

Overview | leverages Synopsys’ expertise, technology, and resources to conduct high-quality software security research
Research | Get an analysis of today’s application security news and research from Synopsys cyber security experts

Press Releases | complete list of our most recent news releases

Table of Contents

What is vendor risk management?
How does vendor risk management affect the vendor selection process?
How do you carry out a vendor risk management strategy?
What vendor risk management tools or resources can organizations use?
Why is third-party security important?
What risk management questions should you ask your vendors?
What to read next

Definition

Most organizations collaborate with vendors to reduce costs or create more efficient business operations. When an organization partners with a third party, there is often a great deal of confidential data that is shared with that vendor, and potentially to external parties. For this reason, vendor risk management is a highly important security topic that firms should account for in a security initiative.

Vulnerability risk management is the process of evaluating vendors prior to establishing a contract of the potential risks that an organization faces when transferring information and/or allowing a vendor to store your organization’s sensitive information.

If the personally identifiable information (PII) of your customers is accessed through your vendor network by hackers, it can cause legal, financial, and reputational risks for your organization. As such, organizations should get ahead of the risk and create a strategy that accounts for specific vendors with whom your firm works.

The strategy should outline:

What type of data you’re sharing with the vendor
How you are sharing that data
Who has access to this data
How that data will be stored
How that data will be destroyed
How frequently the auditing process takes place

How does vendor risk management affect the initial vendor selection process?

Selecting the right vendors to work with is a critical first step within the vendor risk management process. Before selecting a vendor, use due diligence to verify the following areas of the partnership (note that this list isn’t exhaustive):

Background
Performance history
Financial health
Market reputation
Policies in place within the vendor organization
Compliance
Stakeholders and board of directors
Civil or criminal lawsuits against your vendor or its stakeholders

Armed with this information, develop a risk assessment profile identifying the possible risks.

Next, establish a risk management strategy including the necessary steps to mitigate those risks. If your organization already has a strategy in place, note that you may need to add or modify a clause in the document for each vendor with whom you’d like to work. Once the strategy is in place, utilize it for a periodic vendor review.

How do you carry out a vendor risk management strategy?

These eight steps present a high-level overview of elements that make up a strong vendor risk management strategy:

List all vendors with whom your organization works. Prioritize these vendors based on how much of a security threat each poses to the organization. This allows you to best coordinate your internal resources to tackle the high and critical threats first.
Implement a security framework that maps to your organization. For example, if your business operates as part of the healthcare industry, the vendor must comply with the Health Information Portability and Accountability Act (HIPAA).
Prepare a contract outlining the business relationship between your organization and the vendor. This process will involve your legal team.
Create documentation of the vendor selection process and criteria, available vendor details, and audit reports of each review taking place at the vendor site.
Conduct a periodic review and audit of clauses included within the contract. Ensure they are met. These reviews ensure that the vendor meets regulatory compliance for your industry.
Collect fourth-party vendor details and perform an assessment of your vendor’s policies for its vendors.
Document risks identified during the process and proposed mitigation plan.
Educate employees involved in the process about the importance of the process and an assurance of a clear line of escalation for any red flags.

What vendor risk management tools or resources should organizations implement?

There are four items to consider within your organization to ensure a proactive vendor risk management strategy:

Prepare templates for questionnaires, checklists, and process documentation for use during the vendor risk management process.
If you don’t have skilled resources in your organization, outsource the requirement to firms that provide specialized services. These organizations can help you hone your risk assessment and risk management techniques.
Follow current best practices and compliance requirements. Some current best practice, compliance, and regulatory standards that are helpful as a reference include:
1. The Sarbanes-Oxley Act
2. The Gramm-Leach-Bliley Act
3. The Foreign Corrupt Practices Act (FCPA)
4. The Health Insurance Portability and Accountability Act (HIPAA)
5. The Payment Card Industry Data Security Standard (PCI DSS)
6. The UK Bribery Act
7. NIST 800-53
8. NIST Cybersecurity Framework
Gather as much information as possible about the vendor before building your strategy. This includes publicly available information relating to items such as physical verification, etc.

The focus of the strategy should be on improving the design and solving any problems along the way rather than collecting data. This will allow you to create a value-added ecosystem for you and your vendors.

Why is third-party security so important?

Statistics show that nearly two-thirds of security breaches originate from third parties. For example, in the December 2013 Target breach, the attack was enabled by an email phishing attack on an HVAC contractor. An employee of the contractor clicked a malicious link which ultimately led to the compromise of millions of credit cards. This is one of many examples highlighting why the security of your vendors directly affects your firm.

Vendors can improve credibility by having proper documentation and policies in place that are an auditing requirement. These firms should also educate all levels of employees of the importance of third-party security.

What risk management questions should you ask your vendors?

Provide a vendor risk management questionnaire to each potential vendor your firm is considering. The vendor risk management questionnaire should be detailed and granular. However, a selection of important questions to include in your list are as follows:

Do you have a cybersecurity policy and skilled resources within your organization? Have you used this policy to perform a cybersecurity assessment? Or, have you completed a similar assessment with a third-party organization? Please share the policy and your results.
Do you use tools to monitor your network and the software in use within your organization? Are employees free to download free or open source software without requiring permission? Please share a list of software and tools in use within your organization.
Do you have a disaster recovery strategy in place? If yes, have you ever used this strategy? Please share the strategy.
Do you have a list of vendors to whom you have outsourced services? Do you have a vendor risk management strategy in place for conducting risk assessments with vendors? Do you have a vendor risk management team? Please share your vendor list and details of your vendor risk management strategy.
As an organization, how do you ensure that your security guidelines (if applicable) are carried out throughout the SDLC? Does your firm conduct security testing or review of all products? Are your employees trained on security skills they can use while developing or testing?
What is your breach notification policy? Do you only notify the customer whose data has been breached? Or, do you notify all customers?