A Look Inside SecurityStudio's Vendor Risk Management Tool
Some people enjoy torturing themselves with manual processes. For the rest of us, Loffler offers solutions to automate tedious, repetitive tasks.
One way we do that is by helping prevent vendor-related security incidents.
Today we’re looking at a vendor risk management tool that helps to automate the process.
A Look Inside SecurityStudio's Vendor Risk Management Tool
You can read all about what vendor risk management is, and how to do it here. This post is dedicated to the tool SecurityStudio has designed to handle vendor risk management for you. This is just one of many cybersecurity solutions you can outsource to an MSP.
Taking an Inventory
The first step to vendor risk management is to make a list of your vendors and their basic business details. Where do you put that inventory once you get it? Into SecurityStudio's vendor risk management tool, which we'll call the S2Vendor tool going forward.
The Vendor Profile is where you record your vendor name, business unit, industry, service tags, their basic relationship with your organization (service, software, hardware, other) and their address. Most of this information is probably in your accounts payable system already. Add vendors one-by-one to build that inventory.
Setting up a vendor profile in the S2Vendor tool
Getting all your of your vendors into the system right away is a difficult hill to climb. Evan Francen, the Founder and CEO of SecurityStudio, recommends starting with one or two vendors to get the process worked out, and then start entering them in bigger, bulk numbers. When you're ready, you can certainly import all of them, if you can export out of your accounting system.
The S2Vendor tool's Import Process screen
The S2Vendor tool is designed to keep vendor risk management simple. After you click the Go to Evaluation button on the Vendor Profile, you can classify your vendor.
Begin by clicking the Go to Evaluation button.
You have customization options (not pictured), but most users choose the default workflow. The classification in the default workflow is less than 10 questions. These will go over how are you using the vendor and whether they have physical access to your organization and/or access to your systems. Once you're done, you click Submit.
Classifying a vendor
Within the S2Vendor tool, you have the ability to assign the work of classifying vendors to whoever owns the vendor relationship.
Once the classification is complete, you'll see a rating, which you have the option of confirming. A a low-impact vendor would goes back into the queue, so that in a year (this timeframe is customizable), the system will have you classify them again. This is done to account for any changes in the vendor relationship. Medium and high-impact vendors will move on to take a risk assessment.
For the assessment, the vendor receives an email invitation informing them that you're doing an assessment and they have a link to click to go to the platform and create an account. It's not like a phishing email where you log in from that email. It's creating an account.
They then receive a disclaimer. This disclaimer is important because they're agreeing to provide you true and accurate information. There is nothing you can do to stop a vendor from lying to you. If they agree to the disclaimer, which they must in order to go forward, liability flows more likely on them. One of things that we don't want is to have to chase down third-party vendors, arguing over whether they said this or that, after a security incident. The disclaimer agreement takes that out of the process.
SecurityStudio designed the S2Vendor tool to make the vendor experience as smooth as possible. Often, there is a tension that happens when you send a third-party vendor a request for information and they see it will take them an hour or two to fill out a questionnaire. If they've already done an assessment through the S2Vendor platform, they can copy their old assessment (assuming it's still current.)
If the vendor doesn't have an existing assessment, or they choose not to copy the assessment, then they go on to the assessment. The assessment itself is a series of yes and no questions.
The S2Vendor Assessment
If your vendors are doing what they’re supposed to be doing to keep themselves secure, they should have the answers to the assessment ready or at least easily accessible. When you look at the time it takes to answer a yes/no question, the assessment shouldn't take too long.
The questionnaire is simple, available online and vendors can stop and start. They can also assign questions to other people, so if you don't know the answers, another person can answer the question. At the end of it all, this is what it looks like:
S2Vendor assessment results
Scoring is important in vendor risk management because it allows you to set thresholds. You can say any vendor who scores higher than say a 660 can be accepted, anybody below that must go through remediation. You can start setting thresholds, which takes a lot of the decision making out of the process.
We also wanted to provide value to the vendor, so if they do this assessment, they can use it to make their security program better. There are four categories in every SecurityStudio assessment: administrative, physical and technical controls. Based on these controls, the assessment tells how big of a security risk the vendor is. The vendor can download reports based on their answers to build a better security program. Every one of the assessment items has a recommendation associated with it, so will tell you what's not working and how to make it better.
It’s important to note, the score is self-assessed. The S2Vendor tool does have options for getting the assessment validated. Most organizations facing regulatory requirements will choose to have third-party validation.
Now a decision needs to be made. Either accept the vendor as-is, or reject them until they improve.
Options to Accept, Remediate or Reject
Considering the example assessment with the score of 709 above, it's easier to say your standard practice is that you have to score a 660 or higher, so you can use the process as backing you up. Any vendors scoring lower than that would be asked to remediate their security approach.
If you accept the vendor, you can optionally put a reason why you accepted the vendor and then click Confirm. If you accept the vendor, you’re done.
Accepting a vendor
If they need to remediate, you click the Get Started button. Let's say there were 28 tasks you could select for remediation. You choose which tasks you want them to remediate, and assign the tasks. The vendor then receives an email saying what they need to remediate. They can confirm the steps they’ve taken toward remediation in the S2Vendor tool, and you can even ask for evidence directly within the tool.
The remediation screen
At the end of the remediation, you again have the option to accept or reject. If you reject the vendor, you can enter notes on why you rejected them. Once you click Confirm, you're done.
Final Accept/Reject screen following remediation
Vendor risk management with SecurityStudio's S2Vendor tool is as simple as you can make it without taking shortcuts.
SecurityStudio has an ROI calculator available to show there is a positive ROI in using automation in your vendor risk management tool.
If you'd like to learn more, we have a webinar hosted by SecurityStudio's Evan Francen, all about vendor risk management, how to do it with our without automation and how the S2Vendor tool works.
Loffler Companies is the largest privately owned business technology and services organization in the Upper Midwest. We are dedicated to providing innovative solutions and managed services to drive business for organizations of all sizes. Our offerings include IT Professional and Managed Services, Multi-Functional Copiers and Printers, Managed Print Services, Unified Communications, Software and Workflow Technologies, and Onsite People-Based Services.