The Security Assessment Process

Third parties should be assessed according to the inherent risk (link to definition page) to your business. If you haven’t already, here’s how to prioritize your vendors by risk (link to topic cluster). Assessments should be executed during the vendor selection, on a regular schedule (such as annually or contract renewal), and/or in response to external events such as a data breach. For vendors that have low inherent risk, it may be acceptable to only require a self-reporting questionnaire (link to definition page) or not assess at all if they have no access to data. Some companies supplement their high inherent risk self-assessments with third-party scorecard services such as Bitsight, SecurityScoreCard, NormShield, and Risk Recon.

The higher the inherent risk rating (link to definition page) of a vendor, the more in-depth the assessment process must be. Begin the process by understanding your organization’s data types and how the third party creates, processes, and/or stores that information. Read the agreement with the vendor (contract, Statement of Work, license, etc.) to understand assessment requirements and right to audit if applicable. Consider what supporting artifacts would be appropriate to request from the vendor: policies, disaster recovery/business continuity plan, penetration testing results, assessments of their third party vendors, etc. 

Consider at which level the assessment is to be conducted. Is it just one of the vendor’s business line that has access to data or is it enterprise-wide? Many companies require third parties to complete a questionnaire (link to definition page) to provide information about how they develop and maintain risk controls to protect data, applications, systems, network, privacy, etc. Acquire documentation like privacy policy, Incident Response plan, etc. to ensure that it matches questionnaire responses. Consider implementing a Vendor Risk Management system such as Whistic, ProcessUnity, or ServiceNow to provide efficient and effective interaction with the vendors, documentation of the results, and reporting for management and audit purposes (spreadsheets cost don’t scale and cost more in labor).

Identify areas of concern based on findings in reports, and assess for impact to services. Determine if the vendor is meeting industry standards and best practices. Does the residual risk (link to definition page) exceed your company’s risk tolerance? Consider one of the following based on assessment results:

Provide the appropriate level of detail to your organization’s management to help them understand the risks associated with third parties, including data sensitivity and/or quantity, criticality of services, location, etc. Many governing bodies require board members or senior management to monitor the overall risks associated with third party providers. Document the fact that results were presented to management with signatures and/or meeting minutes.

Validate or update the vendor’s risk rating. Any changes in services provided that impact data or system access may require an increased risk rating. Consider assessment modifications like frequency and type of assessments. Determine whether the change is significant enough to require modification of contracts.