June 02, 2020//Tony HowlettLast Updated: November 19, 2020
Working with vendors, business partners, and other third parties is a fact of life for most organizations. However, once vendors are selected, vetted, and onboarded, they will often be given remote access to your network, and that’s where problems can arise. Even one vendor can increase the risk that your network might be compromised; when the number of vendors grows into the dozens or hundreds, the risk increases exponentially. This leads to an ongoing tug of war: the need to give each approved vendor access to your network in order to get to the resources they require to do their job versus the need to maintain the security of your network and your organization’s vital assets.
Hence, any organization that works with vendors who access corporate resources remotely must identify relevant and effective steps that can help mitigate the risk exposure caused by working with vendors, and one important step towards achieving that goal is implementing a system to properly catalog these vendors.
In this blog post, we’ll explore what vendor cataloging is, why profiling each vendor to gauge individual risk is a key element in this process, the main benefits of vendor cataloging, and some final thoughts.
Among the best practices that organizations should implement for reducing the risks caused by vendor remote access is cataloging new vendors. This is one of the most important, since this process helps share vital detailed information within the organization about the services provided by these third parties, the departments they are intended to serve, and their level of risk (determined by vendor profiling and other assessment techniques).
Vendor cataloging is the gold standard for reducing risk when vendors are first hired. By using this process, an organization can fully assess and document each new vendor and supplier that will come in contact with their network. Then, after vetted and approved vendors are onboarded, risk can be continuously monitored and mitigated by maintaining ongoing records for all third parties, and updating these records as working relationships begin and end over time.
It’s a given that working with third parties brings risk, but the level of risk tends to vary from vendor to vendor. Hence, organizations striving for optimal security and compliance should conduct an internal profile of each third party they work with, in order to determine the inherent risk of hiring them.
Organizations can start the profile development process by talking to the department or unit that needs to hire each vendor. One should ask for important vendor data, such as:
Each profile provides a guide for deciding which mitigation controls may be needed for each vendor. The complete catalog listing, containing all of your organization’s vendor profiles, should be made available to everyone in your organization who deals with these vendors and updated regularly.
To help streamline the vendor cataloging process, one useful strategy is to assign a category to each vendor, grouping similar vendors together. Such groupings can speed up vendor cataloging, since similar vendors tend to have several risk factors in common and thus require the same or similar questioning, assessment, and risk mitigation strategies. Example categories might be “sales automation” or “HR”, but the actual categories should fit your group of vendors and your organization’s use cases.
Creating a questionnaire that lets third parties assess themselves can make the vendor cataloging process much easier and more useful. Giving each vendor a self-assessment survey is not only standard practice, it’s also good practice – especially for third parties rated as high or medium risk. Questionnaires should be used to determine new vendors’ core policies, procedures, and processes around security and compliance, which helps organizations discover the true risk level of each vendor.
The category and degree of risk assigned to each vendor should guide question type and depth. However, in an ideal cataloging questionnaire, one should not bombard vendors with too many questions. Overly long forms with vague, obscure, or complicated questions can often engender partial answers that are not fully thought out or accurate. Questions that are relatively simple and objective, exploring topics of genuine concern, tend to work best.
There are several benefits gained when an organization implements a robust process for cataloging incoming vendors.
Vendor cataloging helps organizations formalize the necessary procedures and workflow for assessing, hiring, and onboarding vendors, which in turn leads to increased efficiency.
Once vendors have been categorized, questioned, assessed, approved, and onboarded, the risk of potential problems caused by vendor access to your organization’s network can be known, and thus proper steps can be put in place to monitor and mitigate that risk. Risk mitigation is especially important; according to one report, 65% of organizations that outsourced work to a vendor have experienced a consumer data breach, and 64% indicated that this occurred multiple times.
Vendor cataloging helps ensure that third parties meet compliance requirements related to regulations (governmental or industrial), as well as compliance guidelines set forth in an organization’s internal policies. This is especially important with new privacy laws such as GDPR and CCPA put new requirements in place for organizations to track vendors who handle their data.
The goal of vendor cataloging is to provide a coherent process by which organizations can closely manage vendor relationships. By creating and maintaining a detailed catalog of all third parties employed by your organization, including information about what services they provide and which departments they serve, the inherent risk due to vendor network access can be managed and substantially reduced.
Even though the risk is clear, and many organizations are aware of it, they may not take the steps necessary to address this risk, either because the available options seem too complicated or the IT department feels too tied up with other tasks to carve out time for this added burden. However, the fact remains: it is a major Achilles heel if your system is not equipped to both properly catalog incoming vendors and outboard vendors when their working relationship with your organization ends.
Ideally, what organizations need is a simple yet comprehensive method for handling these tasks, within a single integrated platform. The optimal solution would be a process that is separate from your employee onboarding. Automation of the process is also important, in order to reduce the burden on your IT department.