Subscribe
Categories
< Back to Blog
The 3 Lifecycle Stages of Vendor Security Risk Management: Onboarding
Security Best Practices & Advice

The 3 Lifecycle Stages of Vendor Security Risk Management: Onboarding

By Michael Rasmussen Sep 10, 20196 min read

This is the first of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on steps to achieve a proper and friction-free onboarding process.

The Vendor Relationship: Stages in the Lifecycle

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and connections that span traditional business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees, but are third parties such as contractors, consultants, temporary workers, outsourcers, service providers, and vendors.

An organization can face disruption and disaster by establishing or maintaining the wrong business relationships. Third party security problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of security arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Today’s organization requires complete situational and holistic awareness of third party security and its connection to and impact on operations, processes, transactions, and data. It has become essential that organizations govern third party relationships throughout the lifecycle of the relationship:

  1. Onboarding
  2. Ongoing monitoring
  3. Offboarding

Today we will look at the first stage of onboarding a third party relationship, ensuring the organization is doing business with the right third parties as they are brought onboard before network connections are established and data shared.

Approaches to Onboarding

There are a variety of approaches to onboarding as part of your risk management plan. Some organizations bring third parties onboard with minimal inquiry and affirmation of security, but want to have red flags raised if issues of security arise during the relationship. Other organizations provide more structured due diligence during the onboarding process to ensure that security is addressed before the relationship becomes active. What is critical across this dichotomy is the need for agility. The organization needs to be agile in getting relationships established and not slow the business down.

Obviously, the stronger approach is in the organizations that look to more structured due diligence practices for security to ensure that third parties have security in place before the relationship is established and connected to data and systems. This approach of onboarding needs to be agile or the business will end up working around security and potentially expose the organization.

Four Steps to Onboarding

The onboarding process in a vendor risk management plan involves these fundamental steps:

  1. Purpose & identification. This is where the organization identifies a new third party or existing third party to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, security, and compliance requirements and concerns in the relationship. It is critical here to understand the nature of the proposed relationship and the type of connectivity to the organization and data that will be shared. This will scope the level of due diligence needed in the other steps of onboarding.
  2. Qualification & security screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party meets the security requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through security evaluation steps to ensure that the third party is addressing security. This includes how the third party manages security externally (Internet facing) as well as internally (internal security policy, controls, and processes). Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
  3. Contracting & negotiation. Upon passing initial qualification and security screening, the next step is to finalize the contracts and the formation of the relationship. Organizations should be explicitly in clear in contract on how security and disposition of data and connections are to be maintained and secured throughout the lifecycle of the relationship. Rights to scan the perimeter as well as audit/inspect security policies, controls, and processes should be a fundamental piece of any contract that involves network connectivity and/or shared data.
  4. Registration & final onboarding. When contracting and negotiation processes are complete the organization moves into registration and final onboarding. The registration process technically started in the qualification and screening phase to gather information but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of vendor/supplier code of conduct, security and data privacy policies, related controls, getting attestations to these, completing associated requirements, training, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).

Tips for a Successful Onboarding Process

I am not a fan of the haphazard approach where organizations start a relationship and only look at issues when they arise. I advocate that organizations follow a structured onboarding process that scopes the third party (the identification and qualification phase above) and performs the appropriate level of due diligence to establish the relationship that is inline with the potential risk exposure the relationship brings. The most obscure third party relationship can bring significant damage to the organization if it connects to the organization’s network or shares, processes, or analyzes data of the organization.

To facilitate this onboarding process and remain agile, organizations should partner with solution providers that streamline the assessment and scoring of the security exposure and risk of third parties through active and ongoing scanning and evaluation of third parties.

Coming Up Next: Continuous Monitoring

Governing security in third party relationships does not stop with the onboarding phase. From there it moves into the ongoing monitoring of the relationship that we will explore in the next blog in this series.

About Michael Rasmussen

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management.  With 25+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.  He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.

Author Thumbnail
Michael Rasmussen

You may also like...
5 Ways to Reduce Third-Party Cyber Risk in 2022
Jan 03, 2022 5 Resolutions for Reducing Third-Party Cyber Risk in 2022 Yaffa Klugerman
3 Key Tips to Make Your Security Questionnaires More Effective
Dec 22, 2021 3 Key Tips for Making Your Security Questionnaires More Effective Aviva Spotts
Log4Shell
Dec 13, 2021 Responding to the Log4Shell Vulnerability Demi Ben-Ari

Popular Posts

Cyber Monday
Nov 14, 2018 7 min read

10 Tips for Secure Online Shopping on Cyber Monday

Cyber Monday is just around the corner, but—let’s face it—shopping online is a lot riskier than it used to be. (more…)
By Elad Shapira
Security Best Practices & Advice
CCPA
Nov 26, 2019 3 min read

3 Key Points About CCPA

What is CCPA?   The California Consumer Privacy Act (AB 375), which will go into effect on January 1, 2020, is expected to significantly strengthen data collection and privacy in the USA. Similar to the way the General Data Protection Regulation (GDPR) defined data privacy in Europe, the CCPA regulation is expected to set the standard for data privacy in...
By Dov Goldman
Standards & Regulations
Questionnaires
May 08, 2019 3 min read

3 Reasons Why Enterprises Hate Security Questionnaires

It’s not hard to understand why security questionnaires are necessary. Because regulations like GDPR and NYDFS are holding businesses accountable for their third parties’ cybersecurity, it’s important for enterprises to assess and continuously monitor all vendors, suppliers and business partners. And the initial vetting of any third parties typically begins with a comprehensive security questionnaire to evaluate cyber posture. (more…)
By Noam Maman
Security Best Practices & Advice

Building Trust Between Companies Worldwide

Get Started

Featured Authors

Author Thumbnail
Yaffa Klugerman Director of Content Marketing at Panorays
Author Thumbnail
Elad Shapira Head of Research at Panorays.
Author Thumbnail
Moshe Ferber Cyber and Cloud Computing, entrepreneur, investor, board member and lecturer.
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe