Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Maximizing Vendor Risk Assessments

Uncover crucial strategies to improve your vendor risk assessments.

Authored byTony Turner
Tony Turner

Vendor risk assessments are essential for robust security strategies, but are your assessments truly effective in minimizing risks and building strong vendor relationships? As the threat landscape evolves, it's crucial to reassess and enhance your vendor risk processes. This blog explores the intricacies of vendor risk assessments and reveals innovative strategies to strengthen your security framework.

Evaluating Traditional Vendor Assessments

For many years, organizations have relied on traditional vendor risk assessments. These methods often include sending out questionnaires, accepting security attestations, or conducting onsite evaluations. However, the effectiveness of these traditional assessments is sometimes limited. To enhance your current processes, it's essential to understand their value and limitations.

Choosing the Right Vendor Assessment Type

Choosing the right type of assessment can be daunting. For instance, when should you opt for self-attestation versus a third-party assessment? Self-attestations, though cost-effective and easy to scale, offer low confidence. Conversely, while providing higher confidence, third-party assessments can be expensive and lack specific context. Balancing these factors is critical to an effective vendor risk assessment strategy.

Effective Risk Triaging: Categorizing Vendors for Optimal Assessment

Understanding the procurement's risk level is crucial. A short risk triaging process can help categorize vendors into low, medium, and high risk, informing the assessment process and frequency. Here are five yes/no questions commonly used:

  1. Does the vendor have my data?
  2. Does the vendor have logical access?
  3. Does the vendor have physical access?
  4. Is the vendor offshore?
  5. Is the vendor in the cloud?

After triaging, you'll have three discrete risk groups. Ideally, the number of high-risk vendors should match your assessment resources. High-risk assessments are resource-intensive, so choose wisely.

Innovative Enhancements for Vendor Risk Assessment Processes

Improving your vendor assessments framework can seem challenging, but several innovative methods can make a significant difference. One practical approach is leveraging artificial intelligence (AI) to scale and optimizing vendor risk programs. AI can quickly analyze vast amounts of data, identifying patterns and potential risks that traditional methods might miss.

Types of Assessments

Different assessment methods have varying levels of confidence, risk ranking, cost, scalability, and vendor participation:

  • Self-Attestation: This involves the vendor providing answers to a set of security-related questions or statements affirming they meet your security requirements.
  • Third-Party: These assessments are conducted by trusted external firms or tools that evaluate the vendor's security posture.
  • OSINT/Vendor Scoring: This method involves open-source intelligence (OSINT) to gather information about the vendor without their direct involvement. Tools and techniques are employed to collect publicly available data about the vendor's security practices and history.
  • Technical: This involves a deep dive into the technical aspects of the vendor's systems and security measures. Technical experts review architecture diagrams, system logs, and other artifacts provided by the vendor.
  • Validated: This adds an extra layer of verification to assessments by reviewing evidence to confirm the accuracy of the vendor's claims. Either the organization or a third party reviews the supporting documentation provided by the vendor to validate their security assertions.
  • Onsite: Physical assessments conducted at the vendor's location to verify their security controls and practices. Security professionals visit the vendor's site to observe and evaluate physical security measures, interview personnel, and review operational practices.

Vendor risk assessments are more critical than ever in ensuring the security and integrity of your supply chain. Enhancing your assessment processes and utilizing the comprehensive security assessment matrix can build stronger, more secure vendor relationships and improve your overall security posture. Stay proactive in refining your strategies, and leverage the tools and insights provided to drive your security programs to new heights.

You can access the comprehensive security assessment matrix here. Use it to map out and right-size your vendor assessment programs according to your organization's specific risks and resources.

If you missed the first webcast in our Mastering Supply Chain Security series, watch it here.

Register for parts 2 and 3 below:

Meet the expert

Tony Turner
Tony Turner

Tony Turner

Certified Instructor Candidate

Tony Turner has reshaped critical infrastructure security by advancing SBOM maturity and Cyber-Informed Engineering, while pioneering adversarial AI simulations and digital twin technologies as VP at Frenos.

Read more about Tony Turner
Maximizing Vendor Risk Assessments | SANS Institute