Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Security Program Development / Vendor Risk Assessment
158VRA Base

Vendor Risk Assessment

On this page

    Service Overview

    Today's business climate is complex. The cloud, Software-as-a-Service (SaaS), mobility, outsourcing and the ever-expanding ecosystem of third-party service providers has increased efficiencies, conveniences and profits for businesses globally. These same advancements, however, have introduced new cybersecurity risks and challenges to any organization working beyond their four walls. Whether you are required to assess the risk of your third parties or you are buried in vendor risk questionnaires, Vendor Risk Assessment is the solution.

    Objectives

    The objectives of this initiative are as follows:

    • To assess the security capabilities of a 3rd party or vendor
    • Support compliance with regulatory requirements
    • Enhance third-party vendor contracts

    Methodology

    This Vendor Risk Assessment consists of the following phases:

    • INITIALIZATION MEETING - DeepSeas will host a kickoff meeting to conduct introductions and familiarize Client and vendor(s) with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope and deliverables in the Statement of Work.
    • PLANNING - Preparation necessary to conduct an effective assessment, including:
      • Scope definition - Identifying the third-party vendor(s) that will be the focus of the assessment, including people, process and technology;
    • ASSESSMENT - Evaluation of third-party cybersecurity controls defined in the Planning phase including:
      • Vendor self-assessment(s) - Identification of vendors existing security controls, (questionnaire completed by vendor); and
      • Assessment of vendor responses - Evaluation of required security controls, conducted by DeepSeas in conjunction with client, including subject matter expert interviews, artifact review and other analysis.
    • DOCUMENTATION - Documentation of all deliverables, including completed questionnaire, analysis, and final security report
    • CONTRACT REVIEW - DeepSeas will review the vendor contract and provide feedback, including a data security addendum, to client.
    • PRESENTATION - Presentation of findings to Client.
    • TRANSITION MEETING DeepSeas will host a transition meeting to assist client with next steps.

    Deliverables

    DeepSeas will produce the following deliverables for each vendor identified in scope section:

    1. VENDOR QUESTIONNAIRE - DeepSeas will deliver the final questionnaire (completed by vendor and assessed and scored by DeepSeas) to Client.
    2. FINAL SECURITY REPORT - DeepSeas will deliver a security report that details the vendor's risk score and outlines areas of concern.