3 Ways to Determine Who Your Vendors Are
3 WAYS TO DETERMINE WHO YOUR VENDORS ARE
The first step of third-party vendor management is to know who your vendors are. Most companies do not have a comprehensive list of all their vendors! The purchasing or legal departments can sometimes provide a list based on contracts, but even then, there may be some vendors that have eluded a company's procurement process with credit card purchases, proof-of-concepts, and free applications (which are often carry the most risk). Even if you do have a list, it can be difficult to determine the inherent risk of the vendor to your business without input from the business unit that uses the product or service that is offered. It’s important to have an inventory of your applications (CIS Basic Control number 2), and according to a recent Netskope study, enterprises have an average of 1,246 cloud services in use.
Maybe your engineers have tried out a new service with a "free trial" and have decided to keep using it. Your accountants may have been working with a particular third party vendor for a long time but it has never been assessed for risk. How do you get a handle on the known and unknown third parties that your employees are using?
Here are 3 ways to obtain a list of your vendors if you don’t have one:
1) Put a checkpoint in place within the purchasing process to prevent the renewal of a third party product or service without an update vendor risk information
Some companies that do not have comprehensive list of vendors require that business units must fill out a form to describe the type and sensitivity of the data used, to which systems they have access and the importance of the service to the company. This way the company can build a list on-the-fly within the purchasing process, which presents some leverage on the business user and vendor to answer quickly (I need to buy this now!)
2) Ask the purchasing/procurement department for a list of suppliers
The purchasing department may not know the nature of vendors’ product or Service offering in detail and likely will not have enough information to determine what risk the product presents to the company, but a list can be a start. You should be able to get a name or department name that uses the product, which you can use to contact the business contact and determine the assessment that is required for that vendor.
3) For SaaS products, get a Cloud Access Security Broker (CASB) to monitor your employee’s cloud service usage and establish controls to ensure that cloud services are used securely
For vendor applications that are used over the internet, your networking or security people may be able to tell what applications are being used by employees. Often firewall, proxy, and certainly CASB devices track the connections that your employees make with outside applications over the internet. A list of these vendors can be built from real user activity connecting to those services. CASB services can even tell you a bit about the vendor and their security posture.
