Arvin Verma: Vendor Risk Assessments Must Be Actionable

• Design customized questionnaires so that vendors’ answers map directly back to their capabilities and certifications. These documents
  help you understand where the control or security question is being met and where it is not.
• Once a vendor is brought on board, you can integrate it with your security operations center, network operations center, or cyber fusion center so that it can see existing or potential threats.

“Recent predictions state that third parties present the biggest opportunity attackers have for accessing your environment because of varying levels of access to systems and network domains.”

With third-party vendors interacting with most aspects of day-to-day business operations, effective management of supply chain risk requires input from many levels of the business. Arvin Verma, cybersecurity risk thought leader, has built and developed third party risk programs at several organizations throughout his career. There are three key elements required to be implemented before an organization can create an effective supply chain risk management (RM) program:

• Leadership buy-in. Leadership must understand the risk that third-party relationships pose to the organization and the importance of managing that risk. Verma notes, “Recent predictions state that third parties present the biggest opportunity attackers will exploit in order to access your environment. This is due to varying levels of access to systems and network domains provided to third party vendors while supporting various business operations (janitorial services to system patching).”
• Continuous engagement with the organization. Leadership must engage continuously with the organization’s information security team, business partners, vendor procurement functions, and general counsel so that everyone is aligned on the unified approach and strategy to managing third-party relationship agreements.
• Know your data, its classification and value. Finally, the organization must know what the data classification and value are before you can evaluate the risk of sending data out to vendors. “It is critical that you understand what data you are sending outside your organization and its value,” Verma emphasizes. “You must understand who is consuming that data, and you have to build a level of communication with your suppliers to ensure that they appreciate the legal, regulatory, and contractual requirements that come with receiving, hosting, and managing that data.”

This is an excerpt from 7 Experts on Evaluating and Managing Supply Chain Risk.  This eBook was generously sponsored by BlueVoyant.