Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Security Program Development / Vendor Risk Management
158VRM Base

Vendor Risk Management

On this page

    Service Overview

    Today's business climate is complex. The cloud, Software-as-a-Service (SaaS), mobility, outsourcing and the ever expanding ecosystem of third-party service providers has increased efficiencies, conveniences and profits for businesses globally. These same advancements, however, have introduced new cybersecurity risks and challenges to any organization working beyond their four walls.

    Vendor Risk Management (VRM) has become a critical function for any business that utilizes third-parties for critical business functions.

    Whether you are required to assess the risk of your third parties or you are buried in vendor risk questionnaires, Vendor Risk Management is the solution.

    Objectives

    The objectives of this initiative are as follows:

    • To assess the security capabilities of a 3rd party or vendor
    • Inventory third-party vendors and understand their associated cybersecurity risks and overall security posture.
    • Support compliance with regulatory requirements
    • Initiate the Vendor Risk Management process to promote continuous evaluation of vendor risks
    • Enhance third-party vendor contracts

    Methodology

    Vendor Risk Management consists of the following phases:

    • INITIALIZATION MEETING DeepSeas will host a kickoff meeting to conduct introductions and familiarize Client and vendor(s) with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope and deliverables in the Statement of Work.
    • PLANNING - Preparation necessary to conduct an effective assessment, including:
      • Vendor identification - The identification of third-party vendor(s) to vet using vendor risk management strategies;
      • Vendor risk management procedure development - The identification and documentation of processes and criteria necessary to properly assess and manage new and existing vendors;
      • Scope definition - Identifying the third-party vendor(s) that will be the focus of the assessment, including people, process and technology;
      • Schedule development - Scheduling, project plan creation and resource identification.
    • ASSESSMENT - Evaluation of third-party cybersecurity controls defined in the Planning phase, including:
      • Vendor self-assessment - Identification of vendor's existing security controls, (questionnaire completed by vendor); and
      • Assessment of vendor response - Evaluation of required security controls, conducted by DeepSeas in conjunction with client, including subject matter expert interviews, artifact review and other analysis.
    • DOCUMENTATION - Documentation of all deliverables, including completed questionnaire, analysis, and final security report.
    • CONTRACT REVIEW - DeepSeas will review the vendor contract and provide feedback, including a data security addendum, to client.
    • PRESENTATION - Presentation of findings to Client.
    • TRANSITION MEETING - DeepSeas will host a transition meeting to assist client with next steps.

    Deliverables

    DeepSeas will produce the following deliverables:

    1. PROJECT PLAN - DeepSeas will deliver a project plan that describes the tasks, milestones, resources, and project start and end dates of each major deliverable.
    2. VENDOR RISK MANAGEMENT PROCEDURE - DeepSeas will work with the Client to develop a documented procedure for managing new and existing vendors.
    3. VENDOR INVENTORY TEMPLATE - DeepSeas will deliver an inventory template for Client to use, detailing the types of information that should be documented for each vendor.
    4. VENDOR QUESTIONNAIRE - DeepSeas will deliver the final questionnaire (completed by vendor and assessed and scored by DeepSeas) to Client.
    5. FINAL SECURITY REPORT - DeepSeas will deliver a security report that details the vendor's risk score and outlines areas of concern.