October 29, 2022
How to Get Through A Backlog of Vendor Security Assessments
Vendor risk management / third party risk management is now a bedrock of most company’s information security program. As companies mature their program, a common issue comes up in vendor risk. There may be a huge backlog of vendors that were never assessed on intake. For many companies, this could range anywhere from 30-200 vendors that need to be assessed retroactively. This can be a large burden on even the most well resourced teams. Here are a few ways that teams can handle a large backlog of vendor assessments.
- Separate the vendors into High, Medium and Low Risk
- Create a set of controls for each level of risk
- Create a set of standard documentation to ask from the vendor for each level of risk
- Reach out to vendors through their Customer Success Rep or through the email on their Security page
- Look for the the set of controls in the documentation based on the risk level of the vendor
- Follow-up with individual vendors based on control questions and/or gaps
This type of work can be done in a Word or Excel document – it doesn’t need to be fancy. If its something that your team would like outside help with, this is a service that Teepee can help with as well.