Third-Party Risk: Manage Vendors & Compliance
      Back to home
      1. Trustero Support
      2. Phase 1: Define Audit Scope & Risk Profile
      3. Third-Party Risk: Manage Vendors & Compliance

      Vendor Risk Management Overview and Guidance

      A procedural template outlining the specific steps to execute the Supplier Relationships Security Policy within your organization

      BEST PRACTICE: Use this document as a template
      In addition to being informative, this document can serve you as a procedural template. It outlines the specific steps and practices for executing your Supplier Relationships Security Policy. It provides detailed "how-to" guidance supporting the "what we have to do" directives outlined in the policy. This template ensures that the practical implementation of your policy is consistent, effective, and aligned with your compliance requirements. Feel free to provide a link to this guidance or create your own version on your organization's wiki page (e.g., Confluence, Notion).

      Introduction

      Purpose

      This procedural guide shows you how to meet the requirements outlined in our Supplier Relationships Security Policy. It offers detailed guidance on using the Vendor Management functions to assess vendor-related risks, boosting compliance and enhancing your governance framework.

      Objective

      This document covers best practices for using the full functionality of Trustero’s Vendor Management feature. It includes details on risk tier assignment, attestation tracking, and vendor list maintenance.

      Vendor Management Feature

      Trustero's Vendor management feature provides a centralized view to monitor and assess the risks associated with third-party vendors. Key components of the feature include:

      1. Assigning each vendor to a Risk Tier
        Vendors are classified according to their importance and potential risk, each ranked from Tier 1 (high risk) to Tier 4 (low risk). This classification determines the level of assurance required and dictates whether an attestation is needed to do business with the vendor. The risk tier assignment helps prioritize management efforts and resources, ensuring that higher-risk vendors meet the required compliance and security standards. 
      2. Attestation Tracking
        This feature ensures that vendors have up-to-date attestations, such as SOC 2 Reports or ISO 27001 Certifications, to validate their compliance and security postures. It is essential for maintaining trust and legal compliance in third-party engagements.
      3. Vendor List Maintenance
        Allows for the addition and categorization of vendors, providing a clear overview of which vendors are critical and which may require further scrutiny or updated documentation. 

        Using the Vendor Management Feature

        1. Assigning Risk Tiers

            • Determine the risk tier for each vendor based on their impact on your data, availability, and system access.
            • Regularly review and adjust the risk tiers to reflect any changes in vendor services or your business's reliance on them.
            • See Appendix A for detailed guidance on “Vendor Risk Tiers” that includes “Weighted Factors for Determining Vendor Risk Tier.” 

        2. Attestation Management

            • Maintain a record of each vendor’s attestations within the platform, ensuring they are current and relevant.
            • Set reminders to review attestations before their expiration dates to prevent lapses in compliance documentation.

        3. Responsibility and Compliance Tasks

            • Assign a team member the responsibility for managing the Vendor Management feature to ensure continuity and oversight.
            • Document the operational tasks associated with this responsibility in the "Documented InfoSec Operational Activities," which should detail routine compliance tasks and their required update cadence.

        4. Regular Reviews and Updates

            • Conduct regular reviews to ensure the Vendor Management dashboard reflects accurate risk tiers and attestation statuses.
            • Keep a log of when each vendor's information was last verified and updated to maintain continual compliance.

        5. Documenting Vendor Reviews in Operational Activities

          • Ensure that your "Documented InfoSec Operational Activities" include specific tasks related to vendor management, such as:
            • Quarterly review of vendor risk tiers.
            • Bi-annual verification of vendor attestations.
            • Immediate updating of vendor statuses upon receipt of new attestations or change in vendor services.

        Conclusion

        Trustero’s Vendor Management feature streamlines the ranking and management of third-party risks to achieve  compliance. It simplifies oversight of vendors' risk levels and ensures that their security attestations are current, directly supporting your organization's continuous compliance efforts.


        Appendix A

        Vendor Risk Tiers

        Risk tiers help categorize vendors based on the level of risk they pose to your organization, from Tier 1 (highest risk) to Tier 4 (lowest risk). Understanding the risk associated with each vendor allows you to prioritize your management efforts and allocate resources effectively.

        Determining Vendor Risk Tier: Weighted Factors

        When accessing vendor risk, it’s essential to consider various factors across three key domains. Data, Availability, and System Access. Each factor contributes to determining the vendor's risk tier as follows:

        1. Data

          1. Access or Processing of Sensitive or Confidential Data: Vendors handling sensitive data are generally considered higher risk, potentially placing them in Tier 1 or 2.
          2. Offshore Locations or Cross-Border Data Transfers: Depending on compliance requirements, vendors with data crossing borders may be placed in a higher risk tier due to regulatory complexities.
          3. Data Transmission Across Multiple Locations: More transmission points can increase risk, possibly escalating the vendor's tier.
          4. Provision of Hosting Facilities or Physical Infrastructure: Vendors providing critical hosting or infrastructure may be classified as Tier 1 or 2 due to the potential impact on business operations.
          5. Commodity-Type Services and Products Without Access to Critical Infrastructure and Information: Such vendors might be placed in Tier 3 or 4 as they pose a lower risk.

        2. Availability

          1. Criticality to Business Operations: Essential vendors without which operations would halt may fall into Tier 1.
          2. Direct Impact on Revenue Generation: Vendors that directly affect the bottom line may be considered for Tier 1 or 2 due to their impact on business continuity.
          3. Effects on Regulatory Compliance: Vendors that influence compliance status are likely to be higher tier because non-compliance poses significant risks.
          4. Sole Provider of Essential Services: If no alternatives exist, the vendor could be Tier 1 or 2, given the potential operational impact.

        3. System Access

          1. Direct Connectivity to the Organization’s Environment: Vendors with direct system access might be assigned Tier 1 or 2 due to the high potential risk of system compromise.
          2. Remote Access to Sensitive or Confidential Data: Such access can elevate risk, suggesting a higher tier classification.
          3. System Access to Applications: Depending on the criticality of the applications, this may suggest Tier 1 or 2.
          4. Involvement of Cloud Technologies: The use of cloud services, especially those involved in processing or storing sensitive data, may indicate a higher risk tier.
          5. Logical Security Functions Provided to Production Networks and System Platforms: The importance of these functions can place vendors in a higher tier due to their role in maintaining system integrity.

        The assignment to a risk tier is not always linear. It can be influenced by a combination of factors that need to be evaluated as part of a comprehensive risk assessment process. Each vendor's final risk tier reflects their overall potential impact on your organization's risk profile.

         

        For more information, see Vendor Management FAQs.