Vendor risk management checklist: Important elements to include

October 20, 2022
In this article:

Businesses of all sizes depend on relationships with vendors and service providers to deliver value to their customers. Think about how you pay your employees, exchange messages, or arrange for deliveries. Each of these processes likely requires one or more tools plugging into your company data in order to get the job done. Because of the sheer number of third-party vendors being used, 73% of organizations have experienced a security incident.

When you fail to scrutinize new vendors before onboarding, you expose your business systems to new vulnerabilities — including data breaches. Establishing a third-party risk management program is key to ensuring that your network ecosystem is secured to protect your organization from cybersecurity threats.

How do you conduct vendor risk assessments?

Trust is essential to any relationship. Just like you need to trust your vendor to deliver high-quality goods, you also need assurance that they’re protecting their IT infrastructure from cybersecurity attacks. A vendor risk management program is a framework for screening new vendors to ensure they protect your company from online vulnerabilities.

Vendor risk assessments are processes put in place by organizations to select and monitor third-party providers. It helps your organization decide whether the benefits of a partnership with a new vendor outweigh any drawbacks. You want to ensure that a third-party vendor has security controls to dissuade attacks that could lead to data breaches and other information security vulnerabilities.

No organization wants to lose sensitive data (or worse — lose customers) because a vendor failed to protect its systems. A proper vendor risk assessment takes time, even with the best tools. However, the risks of rushing into a contract with a third party can quickly outweigh any benefits you think your company could gain by entering a quick partnership.

Here’s an overview of what you need to cover when conducting a vendor risk assessment:

  • The risks introduced by the vendor
  • The criteria you will use to judge vendor risk
  • Assessment of various vendor products and services
  • Establishing templates for assessing the risk of different vendor types

Risk typically falls into two categories. Inherent risk comes from a lack of controls that could lead to something terrible. Residual risks exist after you’ve put controls in place to handle vulnerabilities. The problem for most organizations is ongoing security enforcement, with 77% struggling to maintain a risk assessment process that operates at the level needed to protect their company.

What’s the difference between vendor risk assessments and due diligence?

A general risk assessment is a review your organization performs to determine what could go wrong when it conducts certain activities. For example, you may conduct a risk assessment before opening operations in a new country to understand the potential business impact of this decision. You’re evaluating all potential impacts, including policies and procedures, to evaluate the overall effects a decision could have on your business environment.

Vendor risk assessments are more specific, looking at third-party considerations like:

  • Financial risks
  • Operational risks
  • Fraud and security risks
  • Legal and compliance risks
  • Environmental risks

Due diligence is a broader analysis focused on evaluating a vendor relationship’s value and the threat it could pose to an organization. The information you collect through due diligence feeds directly back into other information collected through risk management processes. Below are the steps typically used during the due diligence process:

  1. Setting objectives
  2. Setting up a vendor due diligence program
  3. Gathering relevant information
  4. Reviewing and validating data
  5. Performing a risk assessment or updating a previous one
  6. Setting up an ongoing monitoring program

After performing due diligence, your firm should have all the information necessary to decide whether to support a partnership with a third-party vendor. Not performing due diligence can result in negative consequences.

How does a vendor risk management checklist help an organization with risk management?

By the time most companies have been operating for three years, they’ve worked with more than 100 software tools, looking for the right technology to support business operations. If you didn’t initially conduct a vendor assessment, or your team simply started a free trial of a product, you likely have many questions about the security operations of vendors — which never get answered.

Bad actors have keyed into how many organizations have become reliant on their vendor network, making those connections a pathway to organizational destruction. A report from Gartner notes that 80% of compliance leaders only discovered problems with vendors after the onboarding process. The sheer number of vendors most companies work with, even small and mid-sized (SMB) companies, should make it obvious that the scope of this problem is massive.

How comfortable can you be with your current security if your company hasn’t done the legwork to conduct thorough vendor assessments and due diligence? Can you guarantee business continuity if you don’t clearly understand every vulnerability connected to your organization? More companies are opening their eyes to the reality of the risk presented by vendors.

Establishing a vendor risk assessment checklist ensures you get a complete view of the risks and benefits of working with a vendor. You won’t miss asking critical questions that could mean the difference in your business overcoming data security incidents or not having the incident response and remediation policies that keep you from going under.

What’s the goal of a vendor risk management checklist?

Securing data takes time, energy, and organizational alignment, but is the only way to ensure your company and customer data stays out of the hands of hackers. Adding more vendors means constantly inviting new people into your IT ecosystem. Because vendor risk management is multi-faceted, it may be hard for you to focus on what’s essential to each vendor.

Third-party vendor checklists keep you focused on what’s essential in vetting a vendor. They guide you through performing risk assessments and identify any red flags that could harm your business operations.

Ongoing vendor risk management is key to ensuring your organization aligns with industry standards, follows industry-standard laws like HIPAA, and keeps service providers honest regarding vendor security. Using automation to track your vendor risk management checklists streamlines many manual workflows during the vendor assessment process.

10 key items to include on a vendor risk management checklist

Adding the components below to your vendor risk management questionnaire helps get answers essential to protecting your vendor networks.

1) Company security practices

What security controls does your vendor have in place to prevent security incidents? You should understand their cybersecurity posture, including how often they conduct a security risk assessment, their incident response policies, and what they do to prevent the theft of sensitive information. Here are some questions to consider:

  • Does the vendor use access control (like RBAC)?
  • What is the vendor’s security rating (and does it meet your expectations/standards)?
  • Has the vendor provided an IT systems outline?

2) Cloud service configurations

You will not succeed in thwarting hackers targeting cloud infrastructure without proactive policies. Vendors should have a plan that ensures your cloud environment doesn’t contain any components that are out of compliance. Consider the following:

  • Do the vendor’s employees regularly participate in cybersecurity training?
  • Is the vendor willing to provide penetration test results?
  • Has the vendor invested in data protection and information security controls?

3) Physical data center location

Your vendor should have a way to back up information in more than one location. The physical data center should have protections to keep someone from breaking in and causing damage to the servers. Vendors should have a security plan in place for protecting these physical infrastructures. The following questions will shed light on how secure the vendor’s location is:

  • Is the vendor located near any high-risk facilities, like a chemical plant?
  • How prone is the vendor’s data center to devastating weather events?
  • Does the vendor have a plan for data recovery in the event of a power outage?

4) Potential security breaches

Interacting with vendors increases the threat surface available to hackers. Even if you enact proper security protections around your infrastructure, a website used by your vendor could have vulnerabilities that cyber thieves can exploit to eventually make their way into your organization’s systems. Ask your vendor about any websites, networks, or other technology used so you can properly assess the risk they present. Here are a few other considerations:

  • Does the vendor have privileged access management (PAM) policies in place?
  • Has the vendor faced security breaches in the past?
  • Who has access to data within the vendor’s business?

5) Incident response

Despite having security protections in place, vendors also need to have proper response plans prepared for when something inevitably goes wrong. You may want to ask the following to get a clearer picture of your vendor’s incident response:

  • Does the vendor have an indecent response plan? If so, does it cover the various ways they have in place to protect against security incidents, contain them, and recover from the effects of a data breach?
  • How does the vendor encrypt data?
  • What are the vendor’s practices surrounding information protection? (Note: Any lapses in the configuration of encryption processes could lead to the leaking of sensitive information.)

7) Certification

Look for vendor partners' documentation outlining how they control protected data access. They should have protocols that ensure vendor employees receive only information related to their job roles. Here’s what you should think about during your assessment:

  • Does the vendor carry SOC 2 certification?
  • Is the vendor or ISO 27001 certified?
  • Is the vendor required to comply with any governmental regulations?

8) Password policies

Your vendor risk assessment checklist should include reviewing vendors’ password policies. All these questions should be answered to assess the risk presented by the vendor’s password policies:

  • How often does the vendor require employees to change their passwords? 
  • What password length does the vendor require? 
  • Are the vendor’s password policies backed up by two-factor authentication (2FA)? 

9) Spam and antivirus software

Spam and antivirus software detect threats in your systems, files, and networks. Your vendor should be able to isolate, trap, and report on any malware found, so their organization can implement remediation policies. Ask the following: 

  • Does the vendor employ any antivirus or malware protection? If so, is their vendor reputable and reliable?
  • Is the vendor’s antivirus software installed on every device that connects to their network?
  • Does the vendor continuously monitor controls to prevent the risk of cyber attacks?

10) Decommissioning practices

Once a vendor decides an old asset is no longer useful, there should be procedures outlining how to document and enact the removal of it from their network. The last thing you need is a vendor having neglected devices still attached to their systems, which hackers could use to make their way into your organization’s IT infrastructure. Here are a few questions to consider during your assessment:

  • What are the vendor’s decommissioning practices?
  • How does the vendor ensure that no protected information is left on their assets prior to disposal or resale?

How automation expedites this process

The best way for businesses to ensure they go through every element of a vendor risk questionnaire is to use automation technology. On the purchaser side, templates can help jumpstart things as they save you from recreating the wheel with every new vendor. On the customer side, vendor security management services like HyperComply can save businesses significant time and money.

HyperComply uses artificial intelligence (AI) technology to automatically populate risk assessment questions using our customer security knowledge base, accelerating the due diligence process exponentially.

Accelerate your vendor risk management with HyperComply

Protect your company from outside threats by investing in vendor risk management technology. Learn more about the benefits of automating your security questionnaires with our platform by setting up a demo.