Build a Vendor Security Assessment Service
Use a risk-based approach to right-size your vendor security assessments.
- Vendor security risk management is a growing concern for many organizations. Whether suppliers or business partners, we often trust them with our most sensitive data and processes.
- More and more regulations require vendor security risk management, and regulator expectations in this area are growing.
- However, traditional approaches to vendor security assessments are seen by business partners and vendors as too onerous and are unsustainable for information security departments.
Our Advice
Critical Insight
- An efficient and effective assessment process can only be achieved when all stakeholders are participating.
- Security assessments are time-consuming for both you and your vendors. Maximize the returns on your effort with a risk-based approach.
- Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic re-assessments.
Impact and Result
- Develop an end-to-end security risk management process that includes assessments, risk treatment through contracts and monitoring, and periodic re-assessments.
- Base your vendor assessments on the actual risks to your organization to ensure that your vendors are committed to the process and you have the internal resources to fully evaluate assessment results.
- Understand your stakeholder needs and goals to foster support for vendor security risk management efforts.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.2/10
Overall Impact
$11,418
Average $ Saved
16
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Westoba Credit Union Limited
Guided Implementation
10/10
$5,000
10
It's really valuable to have this work ready to be used instead of building it myself.
Saint Peter’s Healthcare System
Guided Implementation
10/10
N/A
5
SaskEnergy
Guided Implementation
7/10
$10,000
10
We need to be aware of time management. We all have other work to do and when the time runs over the scheduled time, it impacts the upcoming meeti... Read More
YMCA of Central Florida
Guided Implementation
9/10
N/A
5
Kevin did a good job zeroing in on our needs and getting quickly to the results we were interested in.
Platte River Power Authority
Workshop
10/10
$30,549
50
This workshop gave us the documents to prepare the framework for a Vendor Security Program at Platte River. In addition, having the opportunity to ... Read More
The Lansing Board of Water and Light
Workshop
10/10
N/A
N/A
Messer
Guided Implementation
8/10
$34,099
10
Best part was the validation that I understood the tools as delivered.
Enerflex Ltd.
Guided Implementation
8/10
N/A
2
Turlock Irrigation District
Workshop
10/10
$11,159
20
City Of Durham
Guided Implementation
9/10
N/A
N/A
DRiV Automotive Inc.
Guided Implementation
8/10
$50,000
20
Spark Therapeutics, Inc.
Workshop
10/10
$19,839
50
Modesto Irrigation District
Workshop
10/10
$30,999
20
Best part was the customized and detailed plan we now have to address supply chain risk. The worst part was trying to understand our own internal ... Read More
College of Westchester
Guided Implementation
9/10
$12,733
10
Best: Having a functional process when we were done Worst: Nothing comes to mind
OCLC
Guided Implementation
9/10
N/A
N/A
SAFE Credit Union Corporate
Guided Implementation
10/10
$8,913
2
Kevin was very knowledgeable and based on the fact that I already has a process in place he was able to provide focused areas that will enhance our... Read More
Workshop: Build a Vendor Security Assessment Service
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Define Governance and Process
The Purpose
- Understand business and compliance requirements.
- Identify roles and responsibilities.
- Define the process.
Key Benefits Achieved
- Understanding of key goals for process outcomes.
- Documented service that leverages existing processes.
Activities
Outputs
Review current processes and pain points.
Identify key stakeholders.
- RACI Matrix
Define policy.
- Vendor Security Policy
Develop process.
- Defined process
Module 2: Define Methodology
The Purpose
- Determine methodology for assessing procurement risk.
- Develop procedures for performing vendor security assessments.
Key Benefits Achieved
- Standardized, repeatable methodologies for supply chain security risk assessment.
Activities
Outputs
Identify organizational security risk tolerance.
- Security risk tolerance statement
Develop risk treatment action plans.
- Risk treatment matrix
Define schedule for re-assessments.
Develop methodology for assessing service risk.
- Service Risk Questionnaire
Module 3: Continue Methodology
The Purpose
- Develop procedures for performing vendor security assessments.
- Establish vendor inventory.
Key Benefits Achieved
- Standardized, repeatable methodologies for supply chain security risk assessment.
Activities
Outputs
Develop vendor security questionnaire.
- Vendor security questionnaire
Define procedures for vendor security assessments.
Customize the vendor security inventory.
- Vendor security inventory
Module 4: Deploy Process
The Purpose
- Define risk treatment actions.
- Deploy the process.
- Monitor the process.
Key Benefits Achieved
- Understanding of how to treat different risks according to the risk tolerance.
- Defined implementation strategy.
Activities
Outputs
Define risk treatment action plans.
- Vendor security requirements
Develop implementation strategy.
- Understanding of required implementation plans
Identify process metrics.
- Metrics inventory
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 6 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Define governance and process
- Call 1: Identify requirements and develop the policy.
- Call 2: Define the RACI matrix, process, and treatment matrix.
Guided Implementation 2: Develop assessment methodology
- Call 1: Customize the Service Risk Assessment Questionnaire.
- Call 2: Develop vendor risk assessment methodology.
Guided Implementation 3: Deploy and monitor process
- Call 1: Customize the Vendor Security Assessment Inventory and develop implementation strategy.
- Call 2: Develop metrics.
Contributors
Two anonymous contributors
Develop and Implement a Security Incident Management Program
Build Resilience Against Ransomware Attacks
Build a Vendor Security Assessment Service
Implement Risk-Based Vulnerability Management
Design a Tabletop Exercise to Support Your Security Operation
Integrate Threat Intelligence Into Your Security Operations
Master Your Security Incident Response Communications Program
Design a Coordinated Vulnerability Disclosure Program