Vendor Management Best Practices: Improving an Organization's Security Posture
Updated: Apr 14, 2021
Vendors provide goods and services as both suppliers and sellers. Smartsheet defines
a vendor as:
A seller in the supply chain of a specific piece of equipment that a company needs. For example, an aircraft manufacturer might employ a company that makes ball bearings as a vendor.
An individual who sells his or her services to a company (for a one-time or ongoing need). For example, a copywriter might contract with an advertising agency to write copy for website pages for a fixed amount of money as a onetime project.
Anyone who provides a good or service to an organization. This can be those who provide office supplies, legal services, employee benefits, consulting, and any number of other hard or soft goods or services.
VENDOR MANAGEMENT
Vendor management is the process that permits organizations to take suitable actions
for controlling vendor selections, negotiating contracts, costs, relationships, jobs, and
reducing vendor-related risks and securing service delivery. A typical vendor
management process looks like:
Vendor Selection
Contract Negotiation
Vendor On-boarding
Vendor Performance Monitoring
Risk Monitoring and Management
Payment
Vendor management is very important because it plays a substantial role when it
involves selecting the right vendor for a specific organization’s needs. Organizations
use vendor management to achieve such goals as opportunities for cost saving, as
well as taking the proper procedures to mitigate risks.
VENDOR RISK MANAGEMENT
According to Gartner, Vendor Risk Management (VRM) is the process of ensuring
service providers and IT suppliers do not create a negative impact on business
performance. VRM helps reduce risk by evaluating vendors prior to starting a contract.
It identifies potential risks that an organization would face when allowing a vendor
access to their sensitive data. Vendor Risk Management improves an organization’s security posture in various ways. Some of these include:
Helping to evaluate a third-party vendor by identifying and addressing any vulnerabilities they may have within their networks.
Accurately measuring and prioritizing risk that can aid in ranking the vulnerabilities found during the risk assessment. It is recommended to rank the vulnerabilities based on the overall risk posed towards the organization. This can be achieved by monitoring security matrices.
VENDOR OFF-BOARDING
Vendor Off-boarding is the not-so-common process of closing out a contract with a
third-part vendor. This process involves ending all administrative, financial, network and
data access, and also the return of property. However, you only want to conduct a
vendor off-boarding AFTER the vendor has fulfilled all his required contractual
obligations. Vendor off-boarding is just as important on-boarding vendors. Not following the
proper protocols for off-boarding can pose a high risk and exposure to your
organization such as compliance breaches, data breaches, loss of property, and
ongoing dispute. A vendor off-boarding checklist looks like:
Track equipment returns
Review contract completion and close it out carefully
Disable network and data access
Finalize payment
Evaluate/Audit
Update vendors profile
Review security policies
CONCLUSION
Organizations interact with countless vendors all the time. But many of these
businesses do not have a robust Vendor Risk Management strategy in place. Without
such a strategy, vendors could continue to have access to data, systems or facilities
they no longer service, thereby creating a huge threat to data security.
REFERENCES
https://www.smartsheet.com/the-definitive-guide-of-vendor-management