Info-Tech Research Group has officially published the results from its latest report, which claims that traditional vendor security assessments are no longer upto their task.
Going by the given report, some assessments are so burdensome that vendors refuse to bid, or if not that, business units just find ways to bypass the process altogether. By dong so, they leave organizations exposed to significant risk.
Against that, Info-Tech Research’s Build a Vendor Security Assessment Service report outlines a practical, risk-based approach which makes it possible for IT leaders to focus on what matters the most. This approach involves tailoring assessments to actual business risk, and therefore, enabling organizations to streamline processes, enhance compliance, safeguard sensitive data, and make more informed decisions at every single touchpoint.
More on the same would reveal how Info-Tech’s blueprint suggests a departure from one-off assessments and the adoption of a continuous process which packs together initial risk evaluations, treatment through well-defined contractual terms, ongoing monitoring, and regular reassessments. Such a mechanism ensures that due diligence is being carried out in full force even once a vendor is selected.
Talk about the company’s blueprint on a slightly deeper level, it basically follows a three-phase approach.
The first phase asks to specifically define governance and process. Here, organizations must identify requirements, define roles, develop policies, and establish risk treatment strategies that effectively align with the organization’s risk tolerance.
The next step would be to develop a comprehensive assessment methodology, which translates to designing tools for assessing service and vendor risk. Companies can fulfill the stated step by building more effective, risk-based questionnaires, and avoiding common pitfalls like overly broad, purely informational, or excessively long surveys.
The third and final phase relates to implementing and monitoring processes, a phase where you can leverage continuous feedback loop to tailor security requirements across contracts and periodic reassessments.
Beyond that, Info-Tech also offers a framework to actually implement its overarching blueprint.
This framework considers service risk to determine the potential impact of a vendor-related security incident, and it does so by evaluating the assets at risk and the associated recovery costs.
Alongside that, it takes into account vendor-related risk, where the focus is on assessing the likelihood of an incident occurring. The extent of due diligence here will be determined by the potential service impact.
The third risk archetype is composite risk. To gauge this, one must multiply service and vendor risk to calculate. A composite is recorded in a risk register or vendor inventory.
Info-Tech Research’s framework also offers a lowdown related to risk treatment which informs you on how to treat risks, using a matrix to accept, mitigate, or reject them, based on the organization’s risk tolerance.
Similarly, it further offers critical information on how to document assessment outcomes in the vendor inventory, with reassessment frequency guided by the composite risk level.
Founded almost 30 years ago, Info-Tech Research Group’s rise up the ranks is largely orchestrated by its unbiased, highly relevant research, as well as advisory services that help leaders make strategic, timely, and well-informed decisions. The company’s excellence in what it does can also be understood once you consider it is serving, at the moment, more than 30,000 IT and HR professionals across the globe.
“Taking a risk-based approach helps organizations focus their assessments on what matters most, aligning security efforts with the type of service being evaluated and their own tolerance for potential threats,” said Ahmad Jowhar, research analyst at Info-Tech Research Group. “Furthermore, a process that fosters continuous improvement in the vendor security risk management program will enable monitoring and improvement, which will help identify further enhancements to the assessment.”
