Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Business Driven Vendor Risk Assessment Template
The pace and level of outsourcing has continued to evolve and now includes any and all business areas and cloud services. Outsourcing decisions often occur under the radar focusing on the economics of the agreement and not risk management oversight. In these scenarios, it is quite common to perform a risk assessment after a contract has been signed leaving a company with very little leverage to address critical audit findings. In an ideal world, risk assessments should be performed before the contracts are signed so that the requirement to correct critical findings makes its way into the contract between the parties.
New relationships of this manner tend to evolve rapidly from a risk perspective as the scope and location of services changes to accommodate business needs. The risk assessment templates traditionally used to manage vendor risk simply cannot keep pace or produce any type of actionable output for the business. Furthermore, these risk assessment templates typically require the active participation of a professional “risk manager” which is a scarce resource in most businesses if they have one at all!
What’s the solution? Use a risk assessment template written in business terms that:
Here is a general five step approach to help you get started on an effective business driven risk assessment template:
Develop and communicate a policy that requires all vendor relationships of a certain nature (e.g. those that involve sharing of information or outsourcing certain business processes) be registered and a risk assessment performed by the relationship owner prior to approval or renewal. While this sounds easy it could be something that takes months to complete. A trick is to focus on the procurement team(s) and help them to establish the practice of performing risk assessments for large contracts or contracts with certain business or information impact. Also, assist your contracts team and work with legal to get standard language to support assessments and remediation.
Develop the universe of risk factors (e.g. information exposure, compliance exposure, strategic value) that compels you to manage and translate controls into the form of questions the business relationship owner can understand. For example, risk of compliance to the Payment Card Industry (PCI) for protecting card holder data is translated as “Are you sharing credit card data with the vendor?” as opposed to “Does the relationship require compliance with PCI?”.
Score the questions and answers relative to each other from a risk perspective so that the results can be:
Based on specific results of individual questions and the overall score, develop a set of required actions or guidance the business owner must take (e.g. assess/confirm the vendor’s compliance with PCI). Make sure these are in alignment with the contractual language. It is also a good practice to try to establish connections with your peer if you have not already.
Look at the touch points within your business environment where buyers must interface (e.g. procurement and legal) and integrate the risk assessment template and supporting process for best results at those points.
Remember, the business-driven vendor risk assessment template is all about integrating risk management into the outsourcing/procurement process by giving the relationship owners the tools and guidance to act as front-line risk managers.
September 12, 2017
Learn how to build a solid foundation for your third-party risk program.
September 19, 2017
Optiv works with your organization to optimize its investment in RSA Archer.
Let us know what you need, and we will have an Optiv professional contact you shortly.