top of page

Vendor Management Best Practices: Improving an Organization's Security Posture

Updated: Apr 14, 2021

Vendors provide goods and services as both suppliers and sellers. Smartsheet defines

a vendor as:

  • A seller in the supply chain of a specific piece of equipment that a company needs. For example, an aircraft manufacturer might employ a company that makes ball bearings as a vendor.

  • An individual who sells his or her services to a company (for a one-time or ongoing need). For example, a copywriter might contract with an advertising agency to write copy for website pages for a fixed amount of money as a onetime project.

  • Anyone who provides a good or service to an organization. This can be those who provide office supplies, legal services, employee benefits, consulting, and any number of other hard or soft goods or services.


Vendor management is the process that permits organizations to take suitable actions

for controlling vendor selections, negotiating contracts, costs, relationships, jobs, and

reducing vendor-related risks and securing service delivery. A typical vendor

management process looks like:

  1. Vendor Selection

  2. Contract Negotiation

  3. Vendor On-boarding

  4. Vendor Performance Monitoring

  5. Risk Monitoring and Management

  6. Payment

Vendor management is very important because it plays a substantial role when it

involves selecting the right vendor for a specific organization’s needs. Organizations

use vendor management to achieve such goals as opportunities for cost saving, as

well as taking the proper procedures to mitigate risks.


According to Gartner, Vendor Risk Management (VRM) is the process of ensuring

service providers and IT suppliers do not create a negative impact on business

performance. VRM helps reduce risk by evaluating vendors prior to starting a contract.

It identifies potential risks that an organization would face when allowing a vendor

access to their sensitive data. Vendor Risk Management improves an organization’s security posture in various ways. Some of these include:

  1. Helping to evaluate a third-party vendor by identifying and addressing any vulnerabilities they may have within their networks.

  2. Accurately measuring and prioritizing risk that can aid in ranking the vulnerabilities found during the risk assessment. It is recommended to rank the vulnerabilities based on the overall risk posed towards the organization. This can be achieved by monitoring security matrices.


Vendor Off-boarding is the not-so-common process of closing out a contract with a

third-part vendor. This process involves ending all administrative, financial, network and

data access, and also the return of property. However, you only want to conduct a

vendor off-boarding AFTER the vendor has fulfilled all his required contractual

obligations. Vendor off-boarding is just as important on-boarding vendors. Not following the

proper protocols for off-boarding can pose a high risk and exposure to your

organization such as compliance breaches, data breaches, loss of property, and

ongoing dispute. A vendor off-boarding checklist looks like:

  • Track equipment returns

  • Review contract completion and close it out carefully

  • Disable network and data access

  • Finalize payment

  • Evaluate/Audit

  • Update vendors profile

  • Review security policies


Organizations interact with countless vendors all the time. But many of these

businesses do not have a robust Vendor Risk Management strategy in place. Without

such a strategy, vendors could continue to have access to data, systems or facilities

they no longer service, thereby creating a huge threat to data security.


bottom of page