The 3 Lifecycle Stages of Vendor Security Risk Management: Onboarding
This is the first of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on steps to achieve a proper and friction-free onboarding process.
The Vendor Relationship: Stages in the Lifecycle
Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and connections that span traditional business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees, but are third parties such as contractors, consultants, temporary workers, outsourcers, service providers, and vendors.
An organization can face disruption and disaster by establishing or maintaining the wrong business relationships. Third party security problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of security arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.
Today’s organization requires complete situational and holistic awareness of third party security and its connection to and impact on operations, processes, transactions, and data. It has become essential that organizations govern third party relationships throughout the lifecycle of the relationship:
Today we will look at the first stage of onboarding a third party relationship, ensuring the organization is doing business with the right third parties as they are brought onboard before network connections are established and data shared.
Approaches to Onboarding
There are a variety of approaches to onboarding as part of your risk management plan. Some organizations bring third parties onboard with minimal inquiry and affirmation of security, but want to have red flags raised if issues of security arise during the relationship. Other organizations provide more structured due diligence during the onboarding process to ensure that security is addressed before the relationship becomes active. What is critical across this dichotomy is the need for agility. The organization needs to be agile in getting relationships established and not slow the business down.
Obviously, the stronger approach is in the organizations that look to more structured due diligence practices for security to ensure that third parties have security in place before the relationship is established and connected to data and systems. This approach of onboarding needs to be agile or the business will end up working around security and potentially expose the organization.
Four Steps to Onboarding
The onboarding process in a vendor risk management plan involves these fundamental steps:
Purpose & identification. This is where the organization identifies a new third party or existing third party to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, security, and compliance requirements and concerns in the relationship. It is critical here to understand the nature of the proposed relationship and the type of connectivity to the organization and data that will be shared. This will scope the level of due diligence needed in the other steps of onboarding.
Qualification & security screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party meets the security requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through security evaluation steps to ensure that the third party is addressing security. This includes how the third party manages security externally (Internet facing) as well as internally (internal security policy, controls, and processes). Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
Contracting & negotiation. Upon passing initial qualification and security screening, the next step is to finalize the contracts and the formation of the relationship. Organizations should be explicitly in clear in contract on how security and disposition of data and connections are to be maintained and secured throughout the lifecycle of the relationship. Rights to scan the perimeter as well as audit/inspect security policies, controls, and processes should be a fundamental piece of any contract that involves network connectivity and/or shared data.
Registration & final onboarding. When contracting and negotiation processes are complete the organization moves into registration and final onboarding. The registration process technically started in the qualification and screening phase to gather information but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of vendor/supplier code of conduct, security and data privacy policies, related controls, getting attestations to these, completing associated requirements, training, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).
Tips for a Successful Onboarding Process
I am not a fan of the haphazard approach where organizations start a relationship and only look at issues when they arise. I advocate that organizations follow a structured onboarding process that scopes the third party (the identification and qualification phase above) and performs the appropriate level of due diligence to establish the relationship that is inline with the potential risk exposure the relationship brings. The most obscure third party relationship can bring significant damage to the organization if it connects to the organization’s network or shares, processes, or analyzes data of the organization.
To facilitate this onboarding process and remain agile, organizations should partner with solution providers that streamline the assessment and scoring of the security exposure and risk of third parties through active and ongoing scanning and evaluation of third parties.
Coming Up Next: Continuous Monitoring
Governing security in third party relationships does not stop with the onboarding phase. From there it moves into the ongoing monitoring of the relationship that we will explore in the next blog in this series.
About Michael Rasmussen
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 25+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.