| There are so many areas of security out there that | | | | |
| most of us will never touch yet there is a dire need | | | | 1. Provide practical steps to manage vendor access |
| for professionals. One area is Vendor Security which | | | | management |
| almost no one does outside of a SAS70. | | | | 2. Provide cost effective solution for risk mitigation |
| Vendor Risk Management needs a process. You are | | | | 3. Provide numerical risk analysis of vendor/partner |
| asking yourself, what is that? I asked myself that | | | | security issues |
| same question in coming up with some good | | | | 4. Risk reduction or risk acceptance |
| processes to target Supplier/Vendor security. We | | | | 5. Documented exposure |
| have to go way beyond a SAS70 if you want real | | | | 6. Iterative process for risk management |
| security over the hundreds or thousands of vendors | | | | 7. Happy CIO So a Supplier Security assessment |
| that a large company may work with. | | | | follow 4 main steps: |
| A risk management process for Vendors and | | | | |
| Suppliers must contact an analysis process of current | | | | 1. Analyze current vendor database, categorize each |
| activities, identification of potential threats of that | | | | 2. Determine risk of each supplier, determine threats |
| vendor to the corporate network, controls that can | | | | posed by each supplier |
| or should be put n place, a test process and practical | | | | 3. Perform assessment tests of each supplier, their |
| testing of the security over that vendor. | | | | processes of interaction, and data access |
| The Problem: | | | | 4. Develop risk mitigation plan, update processed, |
| | | | monitoring processes Vendor Assessments should be |
| 1. No framework for managing vendor risk | | | | conducted on a yearly basis at a minimum. Good luck |
| 2. Inconsistent processes for tracking vendors | | | | with your tests. |
| 3. Lack of enforcement capabilities The Opportunity: | | | | |