Enviar pesquisa
Carregar
Effective Assessment of Vendors Risk Management
•
0 gostou
•
525 visualizações
Amit Bhargava
Seguir
Effective Assessment of Vendors Risk Management
Leia menos
Leia mais
Dados e análise
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 16
Baixar agora
Baixar para ler offline
Recomendados
Stakeholder Relationship Management Audit
Stakeholder Relationship Management Audit
Anand Subramaniam
Choosing an MPS Provider White Paper v1NPR.PDF
Choosing an MPS Provider White Paper v1NPR.PDF
Andy Bryant
10 Questions To Ask When Evaluating IT Service Providers
10 Questions To Ask When Evaluating IT Service Providers
Insight
Samsung electronics case study
Samsung electronics case study
Service_supportAssignment
Viral Change
Viral Change
changeworks
Learning and development adoption is astonishingly easy with Cassini
Learning and development adoption is astonishingly easy with Cassini
Yogesh Kumar
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
Gaiani (CarnCorpAudit)
Benefiting from a Quality Problem Management Program
Benefiting from a Quality Problem Management Program
HDI Orange County
Mais conteúdo relacionado
Mais procurados
Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008
Praxiom
A Users Guide To N Abler Grading Best Practices
A Users Guide To N Abler Grading Best Practices
pauljmcgill
8 trends of successful crm(customer relationship management)2
8 trends of successful crm(customer relationship management)2
CRM Vision
Model Validation
Model Validation
Magnify Analytic Solutions
Resume_Kadambi Vijaisimh_April_2016
Resume_Kadambi Vijaisimh_April_2016
Kadambi Vijaisimh
Crm Hicss 2003 Presentation
Crm Hicss 2003 Presentation
Ram Srivastava
Rogers customer experience consulting report
Rogers customer experience consulting report
Abhishek Sharma
2012 Survey of Higher Education CRM Deployment Practices
2012 Survey of Higher Education CRM Deployment Practices
John Copeland
Planning overview2
Planning overview2
Hoda Ghatas
21 Best Practices for Effective Call Quality Monitoring
21 Best Practices for Effective Call Quality Monitoring
Tentacle Cloud
Process Transformation: Your Questions Answered
Process Transformation: Your Questions Answered
DATAMARK
Mais procurados
(11)
Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008
A Users Guide To N Abler Grading Best Practices
A Users Guide To N Abler Grading Best Practices
8 trends of successful crm(customer relationship management)2
8 trends of successful crm(customer relationship management)2
Model Validation
Model Validation
Resume_Kadambi Vijaisimh_April_2016
Resume_Kadambi Vijaisimh_April_2016
Crm Hicss 2003 Presentation
Crm Hicss 2003 Presentation
Rogers customer experience consulting report
Rogers customer experience consulting report
2012 Survey of Higher Education CRM Deployment Practices
2012 Survey of Higher Education CRM Deployment Practices
Planning overview2
Planning overview2
21 Best Practices for Effective Call Quality Monitoring
21 Best Practices for Effective Call Quality Monitoring
Process Transformation: Your Questions Answered
Process Transformation: Your Questions Answered
Destaque
Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management Programs
Colleen Beck-Domanico
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
Poyner Spruill LLP, Attorneys
Power of partnerships
Power of partnerships
bobdonaldson
VENDOR PROCESS DEVELOPMENT
VENDOR PROCESS DEVELOPMENT
SWAPAN KUMAR ROY
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor Relationships
Goutama Bachtiar
SCM Smart Spending
SCM Smart Spending
Riky Kurniawan
Vendor Management and Contract Negotiations
Vendor Management and Contract Negotiations
ButlerRubin
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto Series
Continuity Control
Vendor Selection Process
Vendor Selection Process
grinehart
Ariba Coverage of Risk Management within the Supplier Lifecycle
Ariba Coverage of Risk Management within the Supplier Lifecycle
Sean Thomson
Vendor development
Vendor development
Padmadhar PD
Vendor rating
Vendor rating
Abhishek Raj
Supplier selection
Supplier selection
joecobe
Vendor rating system
Vendor rating system
Chandrmouli Singh
Vendor Management Systems Best Practices
Vendor Management Systems Best Practices
jeffmonaghan
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Optimus BT
Vendor Management
Vendor Management
mikecarey491
IT Strategic Vendor Management
IT Strategic Vendor Management
Bill Whetstone
Define an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
Andrew Byers
Vendor Management
Vendor Management
Anand Subramaniam
Destaque
(20)
Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management Programs
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
Power of partnerships
Power of partnerships
VENDOR PROCESS DEVELOPMENT
VENDOR PROCESS DEVELOPMENT
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor Relationships
SCM Smart Spending
SCM Smart Spending
Vendor Management and Contract Negotiations
Vendor Management and Contract Negotiations
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto Series
Vendor Selection Process
Vendor Selection Process
Ariba Coverage of Risk Management within the Supplier Lifecycle
Ariba Coverage of Risk Management within the Supplier Lifecycle
Vendor development
Vendor development
Vendor rating
Vendor rating
Supplier selection
Supplier selection
Vendor rating system
Vendor rating system
Vendor Management Systems Best Practices
Vendor Management Systems Best Practices
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Vendor Management
Vendor Management
IT Strategic Vendor Management
IT Strategic Vendor Management
Define an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
Vendor Management
Vendor Management
Semelhante a Effective Assessment of Vendors Risk Management
Benchmarking Basic.pdf
Benchmarking Basic.pdf
R Borres
Risk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBook
Glenn Peake
Six steps to revenue boosting lead generation programs
Six steps to revenue boosting lead generation programs
Jaslynn joan
5 steps for better risk assessment
5 steps for better risk assessment
DrMohammedFarid
Jon alperin 2013
Jon alperin 2013
jowen_evansdata
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperin
jowen_evansdata
Driving Value with Marketing Automation How-To Guide
Driving Value with Marketing Automation How-To Guide
Demand Metric
managed-services-buying-guide
managed-services-buying-guide
Marie Peters
Why Your Customer HealthScore is Useless and How to Overcome It
Why Your Customer HealthScore is Useless and How to Overcome It
Boaz S. Maor
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
justinklooster
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Compliance Consultant
Agency Management Playbook
Agency Management Playbook
Demand Metric
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
JASS44
Functions of performance appraisal
Functions of performance appraisal
bushmiller440
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
jewisonantone
5RecruitingKPIs_020816
5RecruitingKPIs_020816
Lauren Ryan
Principles of effective software quality management
Principles of effective software quality management
Neeraj Tripathi
Building The Case For Supplier Relationship Management
Building The Case For Supplier Relationship Management
Source One Management Services
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
Sharon Oatway
Risk Management Services.pdf
Risk Management Services.pdf
hasan752746
Semelhante a Effective Assessment of Vendors Risk Management
(20)
Benchmarking Basic.pdf
Benchmarking Basic.pdf
Risk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBook
Six steps to revenue boosting lead generation programs
Six steps to revenue boosting lead generation programs
5 steps for better risk assessment
5 steps for better risk assessment
Jon alperin 2013
Jon alperin 2013
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperin
Driving Value with Marketing Automation How-To Guide
Driving Value with Marketing Automation How-To Guide
managed-services-buying-guide
managed-services-buying-guide
Why Your Customer HealthScore is Useless and How to Overcome It
Why Your Customer HealthScore is Useless and How to Overcome It
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Agency Management Playbook
Agency Management Playbook
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Functions of performance appraisal
Functions of performance appraisal
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
5RecruitingKPIs_020816
5RecruitingKPIs_020816
Principles of effective software quality management
Principles of effective software quality management
Building The Case For Supplier Relationship Management
Building The Case For Supplier Relationship Management
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
Risk Management Services.pdf
Risk Management Services.pdf
Último
YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.
JasonViviers2
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?
sonikadigital1
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...
PrithaVashisht1
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptx
Venkatasubramani13
MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .ppt
aigil2
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructure
sonikadigital1
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual intervention
ajayrajaganeshkayala
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introduction
sanjaymuralee1
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayer
Pavel Šabatka
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Guido X Jansen
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024
Becky Burwell
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Aggregage
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
DwiAyuSitiHartinah
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023
Vladislav Solodkiy
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices
DataArchiva
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)
Data & Analytics Magazin
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - Presentation
Giorgio Carbone
Último
(17)
YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptx
MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .ppt
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructure
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual intervention
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introduction
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayer
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - Presentation
Effective Assessment of Vendors Risk Management
1.
HEADQUARTERS 33 Bradford Street Concord,
MA 01742 PHONE: 978-451-7655 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com BUILDING BETTER VENDOR RISK ASSESSMENTS INCREASING THE QUALITY & EFFICIENCY OFYOUR VENDOR RISK PROGRAM
2.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 1 BUILDING BETTER ASSESSMENTS This white paper is the fourth in a series about creating an effective vendor risk man- agement program. Previous installments include: • Part I: Four Keys to Creating a Vendor Risk Management Program that Works • Part II: Identifying Vendor Risk: The Critical First Step in Creating an Effective Vendor Risk Management Program • Part III: The Vendor Manager’s Guide to Risk Reduction INTRODUCTION Creating an enterprise-wide vendor risk management (VRM) program from scratch is a challenge that daunts many risk management professionals. If you’re lucky, you get to start with an accurate list of vendors and strong executive sponsorship. More than likely, however, you will start with an outdated list of vendors and will have to build a business case for funding the program. Either way, staring at blank pages that have to become the policies, processes, procedures, and standards for your VRM program can be overwhelming. Empowered with the executive sponsorship and the funding to make a go of it, in the first year of your VRM program you’ll likely: • Inventory and categorize your vendors to understand the risks inherent with your vendor portfolio • Develop and communicate expected controls standards for your vendors • Develop methods of assessment (commonly questionnaire-based) to assess vendors’ controls • Assess your critical vendors • Manage the remediation of any issues identified during the assessments
3.
2 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com This can be a lot of work but, with diligence and focus, it’s completely achievable. After that first year, you should have some knowledge of what worked well with your process, and what didn’t. At this point you can put your assessment meth- odology into a continuous improvement cycle. You will want to reevaluate what you are doing and consider how you can im- prove the process in order to gain an even better understanding of your vendors and the risks they might pose to your business. A regular review of your assess- ment process also provides the opportunity to incorporate any new regulatory expectations into your vendor assessments. How do you build better assessments as your VRM program matures? To im- prove your VRM program, you should evaluate these four elements: • Quality—How did you perform against your objectives during the previous year? How can you improve the consistency of your program and other aspects of what you’re already doing? What are the lessons learned? • Alignment—Is your VRM program aligned with your business and its regulatory requirements? Have you taken into consideration changes in your business and new regulatory guidance? • Veracity—Are you testing controls in a way that makes sense and is efficient? Are you sufficiently testing where the control execution risk lies? Or, are you burning cycles with ineffective or unnecessary test- ing? • Efficiency—When assessing the above three areas, it's easy to fall prey to scope creep. Are you doing what’s required to keep the program within your resource constraints while maximizing the usefulness of those resources?
4.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 3 By addressing these areas, you can develop a more thorough and effective as- sessment process. QUALITY: RESOURCE ALLOCATION, EFFECTIVE COMMUNICATION, REPRODUCIBILITY, AND THE CASE FOR CENTRALIZED MANAGEMENT Whether you’ve just finished running your VRM program for the first year or the fifth, it’s time to look back and reflect on what could have been better. One of the more difficult things to do, particularly in the first year, is match the scope of your assessment methodology to your available resources. There are two funda- mental questions you should ask yourself: • “Were we able to assess all of the vendors we wanted to assess?” • “Were we able to manage the remediation of all of the issues identified by those assessments?” If you were too ambitious, your answer to one or both of these questions may be, “no.” It can be easy to get bogged down as you work to help vendors un- derstand the initiative, wait for responses, and clarify your questions. Assessing fewer vendors than intended isn’t really all that bad; it’s a normal growing pain. But, it does help identify where you might need to be more efficient: can you clarify your communications with your vendors, can you better train your asses- sors, should you do fewer site visits, or should you re-visit vendor criticality and prioritization? As we discussed in detail in The Vendor Manager’s Guide to Risk Reduction [download], the real danger can be under-resourcing your remediation manage- ment. If you don’t work with your vendors to resolve the issues identified during their assessments, the very investment in those assessments is marginalized.
5.
4 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com You may actually reduce more risk by attempting fewer or smaller assessments and ensuring that the issues identified are resolved. Remember – your goal is to reduce risk. Balancing vendor coverage, assessment scope, and remediation management to resolve the most and highest risk issues is what matters. Once you’ve looked at the alignment between the scope of your program and your resources, the next question you should ask yourself is, “Does my assess- ment methodology effectively address the risks I intend for it to address?” In other words, do my vendors understand the questions I’m asking AND do their responses make sense? Take a moment and look at the places where you’ve asked a question but consistently gotten answers on a different topic. For ex- ample: “What wireless security features do you use?” Without a doubt, the author of this question knows exactly what they’re asking. But, does the respondent? Is this a question about wireless computer networks or mobile telephones? Regardless of how carefully you develop your question- naire, you’ll invariably have a few questions that are ambiguous or confusing. Paying attention to the responses you receive throughout the year will help you identify and improve these questions. Getting well-aligned, clean responses to your questionnaire will improve not only the accuracy of your results but your efficiency as well.
6.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 5 Similarly, if you’re rating your vendors or scoring their responses, do those scores make sense? As you look at the risk ratings assigned to issues identified, do the high risk find- ings truly pose more risk than the medium risk findings? This may seem inconsequential but if your goal is to reduce the most risk with the resources you have and if your meth- odology calls for prioritization based on these scores, then getting this right is critical to the overall effectiveness of your program. Once you’re happy with your assessments on an individual basis, the next question to ask is, “Am I consistent from assessment to assessment?” Inconsistent results can be an indication that your VRM program needs tighter processes and procedures. In addition, it can also mean that your assessment team, which will inherently include profession- als with different backgrounds and levels of experience, may need more orientation or training on the program. Driving toward consistency is key because it assures a minimum standard for the assessment work and gives you a baseline for program improvement. These, in turn, give you the ability to reliably compare and contrast vendors. VRM programs often begin within existing centers-of-excellence within an organization. For example, it is common for information security departments to develop third party information risk assessment methodologies. However, it is not always a natural fit once the VRM program is fully operationalized. By transferring the responsibility for third-par- ty risk assessments to a group such as the procurement department or a vendor manage- ment department, the VRM program can be more tightly aligned with other activities central to the management of vendor relationships - such as managing service level agreements (SLAs), insurance and bonding, and invoice accuracy. This type of centraliza- tion often brings VRM out of disparate business units into a centralized function which, in turn, reduces overlapping efforts and improves consistency. You can also use process automation tools to boost the quality of your assessments. Clear management reports and well-designed workflow systems are essential for ensur- 1. If your VRM program includes scoring models for vendor criticality, inherent risk, and issue severity, as it should, you’ll want to appropriately validate these models, particularly when rolling up this information for enterprise-wide reporting.
7.
6 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com ing consistent, reproducible results across assessments. Furthermore, auto- mated vendor risk management tools can generate the reports necessary for management to monitor the VRM program, to enable accountability to business constituents and auditors, and for model risk management activities.1 More importantly, your VRM solution can give risk managers a clear picture of the third-party risk to your organization and track open issues. ALIGNMENT: TAILOR YOUR VENDOR ASSESSMENTS TO YOUR BUSINESS NEEDS Business needs can change over time. In a first-year VRM program, the goal is usually just to get some number of assessments done in order to determine where you stand with your vendors and find and remove some risk along the way. These initial assessments tend to fall into one of three groups: • Ad-hoc – where you don’t have formal criteria of any kind • Standards-based – for example basing an information security assess- ment on ISO 27002 • Extended enterprise – where you attempt to compare your vendors to your own internal standards None of these approaches is ideal but, of the three, standards-based assess- ments and the extended enterprise assessments are preferred. From there the questions you should ask are: • Do the standards I’ve chosen match the needs of my particular busi- ness? • Which of my internal controls also apply to my vendors? • Does the scope of the assessment capture the regulatory requirements applicable to my vendors? • Have I addressed the areas of risk unique to my vendor relationships?
8.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 7 This is, in essence, a requirements review and a gap analysis between those requirements and your assessment program. When in doubt, use industry standards as a starting point; they help make sure you don’t forget the fundamentals. For information security, ISO 27002 with its 114 controls is an excellent start. Other standards provide equally sound starting points for the industries and risks they address. If you haven’t already done so, build your assessment question- naires and methodologies from these materials. Next, tackle your regulatory obligations. These are the must-dos of your industry so you should address them up front. Map the questions in your assessment to what your regulations expect from your vendors. If you’re a financial services firm subject to GLBA, you’ll want to refer to the FFIEC handbook, OCC guidance, and similar publications. If you’re in healthcare, you’ll want to refer to the HIPAA Security Standards Matrix.2 Re- gardless of your particular regulatory burden, the concept is simple. Make sure you know how your questionnaire and assessment address the regulatory obligations and, if any regulatory obligations aren’t addressed, extend your assessment and ask those questions of your vendors too. It is important to consider the difference between how you should approach assessments and how you should approach compliance. The assessment is how you collect informa- tion from your vendors and form opinions about that information. With your assessment completed, you can evaluate your state of compliance by using the relationship between your assessment materials and your regulatory requirements as a framework for evaluat- ing the regulatory implications of your findings. Starting with regulations and going the other way is impractical because regulations are narrowly scoped and not intended as frameworks for building security programs or any other kind of program for that matter. 2. Appendix A to Subpart C of Part 164 of the US CFR
9.
8 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com Once your regulatory requirements are addressed, you can use your discretion to make sure your vendor assessment program meets your particular risk manage- ment needs. What’s changed about your business that may impact what you expect from your vendors? Do you have any risks that aren’t addressed by your regulations-enhanced, standards-based methodology? Are there any hot top- ics within your organization that you want to make sure you address with your vendors? If any of this is missing, now is the time to add it. This is not to say that you want to assess your vendors in the same way that you do your own internal controls assessment. In fact, much of what you do internally may not be appli- cable to outside organizations, no matter how critical those organizations may be to your business. Instead, only borrow from your internal risk management programs those things that truly apply to your vendors. After reviewing and incorporating so much content to the scope of your assess- ment, now is the time to consider which information to cut in order to make your assessment more concise. If there are any questions in your assessment that don’t directly relate to a regulatory or business requirement, you should drop them. They may be good ideas, but if they don’t apply to your vendors or the work they do for you, answering them only adds time and unnecessary expense. Now look at what you have left. Do you have the resources to manage such an assessment? If not, cut some more. Cut the questions that map to low impact risks. Cut the questions that go deeper into the details than is really required. If necessary review these decisions with your regulators. What you have left should meet your business and regulatory needs while focusing your resources on the areas of highest risk. And, because you’ve conducted a proper require- ments analysis along the way (and documented the tough decisions you’ve had to make) you can defend your methodology against critics and make educated adjustments in the future.
10.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 9 VERACITY: SAMPLE CONTROLS THAT AFFECTYOUR CORE BUSINESS You’ve sent your questionnaire to a vendor and they’ve replied, “Yes, we do these things.” This sounds good but, how do you know? This is where the sampling of evidence comes in. If you’re like most organizations, you ask for copies of policies and other things that are supposed to provide the proof. Policy conveys the intent of management, but it doesn’t guarantee a vendor is actually following the policy and doing the work. Receiv- ing policy documents as evidence is certainly one kind of sampling – but it only samples whether the vendor has a policy. If, instead, you want to know if the vendor actually per- forms the controls required by those policies, you have to sample evidence of the actual control performance, for example screen shots showing antivirus software enabled and running is more convincing than a copy of an antivirus policy. Since it can be prohibitive- ly expensive to sample all of a vendor's controls, you should sample only those controls that matter the most to your business. For example, if you are concerned about data security, you can test small statistical sam- ples on controls such as system hardening, patching, application security, and antivirus protection, in order to verify that these actions are really being performed as required by policy. Correctly testing a small number of key controls provides a much better indication of managed risk than a comprehensive analysis of a vendor's policies. Another method to improve veracity is to accept your vendor’s own testing. Before a vendor solicits your business, you would like it to have its own house in order. You want to know that a vendor has hired an auditor or assessor to conduct an appropriately scoped and aligned audit of its own business so that its management team can assert that the company is operating properly (and controlling its own risk).
11.
10 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com Beyond proof of an engaged management team, where vendors have done an audit, you may be able to leverage the information in the audit report to accelerate your vendor assessment. Consider that IT service providers typically have their own operations assessed by independent auditors, who generate a Service Organization Controls (SOC) report. SOC reports are specifically designed to help service orga- nizations—organizations that operate information systems and provide that service to other entities—build trust and confidence in their service delivery processes and controls. SOC reports cover core aspects of the vendor’s business, such as poli- cies, access controls, backups, and change management. Therefore, if you trust the opinion of the auditor, you don’t need to test those controls directly. A word of caution: Make sure you understand the scope of the outside assess- ment you are relying on, as the audit may not align with your needs. There are two modes of scope: content and assets. In terms of content, ask if the independent assessment covers your topic of interest. For example, your vendor may present a clean Sarbanes-Oxley (SOX) audit opinion in which the report includes extensive IT controls testing. But, because SOX is focused on financial controls rather than on services provided to clients, you have no guarantee that the same controls apply to the work being done for you. Sampling actual control performance is the only way to know the difference be- tween a vendor’s intent and their actual ability to address risk. However, sampling is expensive. These expenses can be kept in check by limiting sampling to key controls in areas where incidents are most likely, by limiting the size of the sample itself, and by relying on the results of audits and assessments conducted of a ven- dor by independent third parties that you trust.
12.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 11 For a vendor to lie when completing a questionnaire is actually rare. For a vendor to identify a gap they didn’t know they had until you asked them to provide an example in a screen shot is, unfortunately, all too common. The good news is that sampling finds these gaps. EFFICIENCY: DO MORE WITH YOUR RESOURCES So far, we’ve discussed optimization and efficiency in terms of: • Prioritizing on high inherent risk vendors; • Balancing resource allocation between assessment and remediation phases; • Using quality and consistency improvements to speed assessments and enable continuous improvement efforts; • Streamlining assessment scope and content while meeting business and regula- tory requirements; • Focusing sampling efforts on the riskiest control areas and using effective sam- pling to identify risk; • And, reusing the work of independent third parties such as SOC audits. Your organization can continue to drive efficiency by looking for controls where your vendors, as a group, are consistently successful versus areas where successful risk man- agement is more challenging. Where your vendors are consistently successful, you may be able to cut the content from your questionnaire. When Denial of Service attacks first emerged, a common and successful countermeasure was to tune kernel parameters on Web servers to accept a larger number of connections and discard them more quickly when unused. For a time, it was critical to ask Web hosting vendors about this configu- ration detail. Within a few years, these re-tuned kernel parameters had become the default setting for operating systems, set directly by their publishers. As a result, this vul- nerability is now rare. There’s no reason to ask questions about these kernel parameters
13.
12 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com any more. In contrast, it’s likely that your vendors have wildly different practices around managing mobile devices. Such areas, where views on industry best prac- tices can themselves be inconsistent, deserve increased focus and discussion. You can save time and money by concentrating your assessments on these more troublesome areas. Deduplication of effort is also a critical technique for assessment program optimi- zation. It’s as simple to understand as it is to overlook. If you ask the same ques- tion twice in your questionnaire or have multiple business units using the same vendor. You may have an opportunity to optimize. As mentioned above, automation tools can help you standardize your assessments and be much more efficient in your processes. Many companies use spreadsheets to maintain their vendor questionnaires, which work fine up to a point. However, if you need to assess more than a handful of vendors, a purpose-built VRM solution will increase your efficiency and effectiveness. Not only will software speed tasks such as communicating with vendors and securely exchanging information but also, software-based vendor risk management solutions will help: • Consistently identify high risk vendors • Accelerate reporting to management and regulators • Provide for easy tracking of program progress and issues remediation • Streamline portfolio-wide vendor risk reporting • And facilitate the analysis needed for continuous improvement efforts
14.
© 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com 13 CONCLUSION What makes a vendor assessment “better?” We can look at the crispness of a question- naire, our ability to assess more vendors faster, or the degree of satisfaction of our regu- lators. But, the real answer is, a vendor assessment program is “better” any time we can identify and eliminate more risk. That our budgets and other resources are finite adds efficiency as a necessary variable to the equation. Improving the quality and consistency of your assessment materials and methodology helps improve your VRM program by increasing the accuracy of the information you collect about your vendors, by balancing resources between assessment and remedia- tion cycles, and by providing the basis for continuous improvement exercises. Improving alignment with business and regulatory requirements helps ensure that the assessments have the appropriate scope of content and are risk-aligned to your available resources. Improving veracity by sampling control execution helps identify easily resolved risks that might otherwise go unnoticed. And, throughout all of these opportunities to improve a VRM program we overlay efficiency. Not necessarily the efficiency of assessing more vendors or the efficiency of testing more controls but the efficiency of resolving more risk.
15.
14 © 2014 ProcessUnity,
Inc. All Rights Reserved | www.processunity.com PROCESSUNITY & VENDOR RISK MANAGEMENT ProcessUnity is a leading provider of cloud-based applications for risk management and service delivery management. The company’s software-as-a-service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s cloud-based Vendor Risk Management solution helps companies ef- fectively identify and mitigate risks posed by third-party service providers in critical risk areas such as information security, service delivery, supply chain processing, financial processing, reputation, and regulatory compliance. ProcessUnity provides organizations with clear visibility into the business impact of third-party risk via direct links from vendors and their services to specific business elements such as processes and lines of business. Powerful assessment tools enable evaluation of vendor performance based on customer-defined criteria through automated, questionnaire-based self-assessments as well as through detailed audits of vendor controls. Flexible reports and dashboards enable ongoing monitoring of vendor rat- ings, assessment progress, and status of remediation activity. Learn more at www. processunity.com.
16.
ABOUT PROCESS UNITY ProcessUnity
is a leading provider of cloud-based applications for risk management and service delivery management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. For public companies and regulated industries, ProcessUnity Risk Suite delivers effective governance and control, vendor risk mitigation, and regulatory compliance. For benefit plan administrators and other financial service firms, ProcessUnity Service Delivery Risk Management (SDRM) controls complex product offerings and strengthens client service experience. ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. The company is headquartered outside Boston, Massachusetts and is funded by Rose Park Advisors and other private investors. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
Baixar agora