Management, compliance & auditing

10 Questions You Should Ask Vendors About Their Risk Management Program

Susan Morrow
January 11, 2018 by
Susan Morrow

Our supply chains are becoming ever more complex, not only in terms of the intricate web of suppliers and sub-suppliers, but also in the technologies used within the network. Supply chains may be complex, but they are worth it. In a survey, 79% of high-performing supply chains had greater-than-average revenue growth. Keeping the supply chain risk under control is an essential part of a healthy vendor risk management program (VRM).

As we saw in an earlier article, supply chains can be an entry point for malicious actions that result in security incidents. A third-party vendor presents a number of areas that can impinge upon your own security strategy and VRM program. The key is to use a forensic approach to identifying, auditing and reducing the risks that working with a third-party vendor may present — this means keeping the chain clean.

Before you start the process of asking your vendor security questions, you should first address certain questions/areas of your own organization, namely:

  • How does your supply chain and vendor registry fit within your organization's structure? Are there gaps in communication channels?
  • What are the risks you expect to see in your vendor list? This may be industry-specific. For example, software companies need to have regular code analysis checks carried out.
  • How will these risks impact your organization cybersecurity strategy?

A collaborative process with your vendor allows you to feed information back into any security policy planning and vendor risk management program.

Below are 10 important questions to ask your vendors. These will ensure your own hard work toward creating and implementing security policies is not put at risk by a third-party vendor.

1. Do You Have Your Own Vendor Risk Management Program?

In a complex web of vendors and sub-suppliers, you can easily forget the hierarchies of control. A vendor may have a vendor management program themselves which will need to dovetail with your own. Have at least sight of this, and if possible, have some input on its creation and execution. Achievable security comes through collaboration.

2. What Areas of Compliance Do You Need to Meet?

This impacts some industries more than others. For example, any vendor associated with healthcare will have to comply with HIPAA, and those working in finance may need to meet a variety of financial regulations that have cybersecurity regulations, such as GLBA and PCI DSS.

3. What Is the Chain of Command Within Your Organization & Who Is the Main Contact for the VRM Program?

This is a seemingly simple but important question. Get to know who the vendor’s main points of contact are and who they report to. They may need your help in pushing through policy changes or implementing security awareness training programs.

4. How Do You Expect to Communicate Across the VRM Program?

Work out the most efficient methods of communication together. This includes communicating ongoing security awareness training and policy implementation issues, as well as notification channels if a security incident does occur.

5. How Often Do You Access & Update Your Risk Management Program?

Risk management assessment and policy generation is not a one-off process. As the security landscape changes, as new technologies are brought on-board and as new vendors enter the third-party matrix of the supply chain, VRM programs need to accommodate these changes.

6. What Security Services Do You Outsource?

Vendors themselves may outsource a number of services. This increases the threat matrix. Understanding the risks associated with outsourced services will help to manage the impact, as it can give you insight into the areas that need to be addressed. This needs to form part of your master vendor risk catalog.

7. What Are the Risks Associated With Devices & Endpoints in the Organization?

Ensure the vendor has assessed the risks of all endpoints, including mobile and IoT devices. How does the vendor access and record the inclusion of new devices in their network? What about the access to email on the device? Is this a phishing entry point?

8. Do You Carry Out Security Awareness Training?

Security awareness training is a component of a number of regulatory frameworks including the PCI requirements from the Security Standards Council. Security awareness training is also an important part of a vendor risk management program to ensure all employees, including subcontractors, are aware of the security risks facing that particular organization.

9. What Technologies Do You Use? Do You Use Cloud Technologies?

Increasing numbers of companies are turning to Cloud computing and Cloud apps to store and process data. SkyHigh found the average organization uses 1,427 Cloud services. Ask your vendor how they approach the security and privacy of any sensitive data, including your organization’s own intellectual property, in the Cloud and elsewhere.

10. What Security Technologies/Security Testing Do You Use?

As an extension to the Cloud computing question, ask the vendor about the technological approaches to security that they use. Do they utilize encryption both for data at rest and in transit? Do they enforce robust authentication measures, especially for privileged access to IT resources? Do they use access roles with security in mind? Do they carry out PEN testing of systems?


Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.