Vendor risk management is nothing new to most security and privacy professionals. Programs for managing vendors are typically well-established and have run like clockwork for quite some time — with many firms requiring their critical vendors to allow access for periodic on-site assessments of privacy, security, and other controls. But as with so many things this year, the coronavirus pandemic has brought well-oiled vendor risk management processes to a screeching halt. Now, without the ability to conduct on-site audits, many organizations lack their usual visibility to assess risk factors and validate whether their providers are doing all they have agreed to in their contracts and service-level agreements (SLAs).
This is particularly concerning given that vendors and third-party providers are a prime source of breaches in security, privacy and/or compliance. Risk Based Security reported that the incidence of breaches, "involving companies handling sensitive data for business partners and other clients," rose by 35% from 2017 to 2019 and exposed 4.8 billion records last year.
Security and privacy professionals are well aware of the potential for exposure among their outside partners, which is why most follow the best practice of ranking their vendors on a hierarchy spanning low risk to high risk, with close attention, auditing, and on-site visits paid to the highest risk vendors. Even without on-site access, organizations still face the same risk management and regulatory obligations to monitor and ensure third parties are protecting their information. But obtaining a high level of assurance without seeing items firsthand is tricky. Organizations must now take their previous assessment plans and modify the testing steps to enable virtual ass ..
Support the originator by clicking the read the rest link below.
