In this article:
Effective vendor risk assessments begin by establishing an audit trail. The operating model that guides the process, includes risk assessment documentation that the auditor will review to establish vendor categorization and concentration. Some examples of assessment documentation include:
Risk Assessment Qualitative Documentation
- Vendors are categorized by service type
- Access needed to internal data
- Nature of data categorized by risk (client confidential, private data, corporate financial, identifiers, passwords)
- Data and information security expectations
Risk Assessment Quantitative Documentation
- Financial solvency baselines
- Contract size
- Beneficial owners of third-party's business
- Location of headquarters
- IT Security Ratings
Next, organizations must supply vendor report reviews proving ongoing governance throughout the vendor lifecycle. Traditionally, vendor lifecycle management incorporates five primary categories: qualifying, engagement, managing delivery, managing finances, and relationship termination. Policies and procedures that address each step in the life cycle include
Qualifying
- Process for obtaining and determining insurance, bonding, and business license documentation
- Benchmarks for reviewing financial records and analyzing financial stability
- Review process for staff training and licensing
- Benchmarks for evaluating IT assets
Engagement
- Contracts include a statement of work, delivery date, payment schedule, and information security requirements
Information Security Management
- Baseline identity access management within the vendor organization
- Baseline privileged access management for the vendor
Managing Delivery
- Scheduling deliverables
- Scheduling receivables.
- Organization defines stakeholders responsible for working with the vendor
- Establishing physical access requirements
- Defining system access requirements
Managing Finances
- Establish an invoice schedule
- Establish a payment mechanism
Terminating Relationship
- Revoking physical access
- Revoking system access
- Definitions of causes for contract/relationship termination
Once the documentation framework has been established, you can administer the assessment. Using the documentation framework outlined above, organizations can streamline their risk assessment processes and ensure that all vendor audits are effective.
Comments
0 comments
Please sign in to leave a comment.