Get Instant Access
to This Blueprint

Security icon

Build a Vendor Security Assessment Service

Use a risk-based approach to right-size your vendor security assessments.

  • Vendor security risk management is a growing concern for many organizations. Whether suppliers or business partners, we often trust them with our most sensitive data and processes.
  • More and more regulations require vendor security risk management, and regulator expectations in this area are growing.
  • However, traditional approaches to vendor security assessments are seen by business partners and vendors as too onerous and are unsustainable for information security departments.

Our Advice

Critical Insight

  • An efficient and effective assessment process can only be achieved when all stakeholders are participating.
  • Security assessments are time-consuming for both you and your vendors. Maximize the returns on your effort with a risk-based approach.
  • Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic re-assessments.

Impact and Result

  • Develop an end-to-end security risk management process that includes assessments, risk treatment through contracts and monitoring, and periodic re-assessments.
  • Base your vendor assessments on the actual risks to your organization to ensure that your vendors are committed to the process and you have the internal resources to fully evaluate assessment results.
  • Understand your stakeholder needs and goals to foster support for vendor security risk management efforts.

Build a Vendor Security Assessment Service Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a vendor security assessment service, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

3. Deploy and monitor process

Implement the process and develop metrics to measure effectiveness.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$20,936


Average $ Saved

35


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Platte River Power Authority

Workshop

10/10

$29,139

50

The Lansing Board of Water and Light

Workshop

10/10

N/A

N/A

Messer

Guided Implementation

8/10

$34,099

10

Enerflex Ltd.

Guided Implementation

8/10

N/A

2

Turlock Irrigation District

Workshop

10/10

$11,159

20

City Of Durham

Guided Implementation

9/10

N/A

N/A

DRiV Automotive Inc.

Guided Implementation

8/10

$50,000

20

Spark Therapeutics, Inc.

Workshop

10/10

$19,839

50

Modesto Irrigation District

Workshop

10/10

$30,999

20

College of Westchester

Guided Implementation

9/10

$12,733

10

OCLC

Guided Implementation

9/10

N/A

N/A

SAFE Credit Union Corporate

Guided Implementation

10/10

$8,913

2


Onsite Workshop: Build a Vendor Security Assessment Service

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Define Governance and Process

The Purpose

  • Understand business and compliance requirements.
  • Identify roles and responsibilities.
  • Define the process.

Key Benefits Achieved

  • Understanding of key goals for process outcomes.
  • Documented service that leverages existing processes.

Activities

Outputs

1.1

Review current processes and pain points.

1.2

Identify key stakeholders.

  • RACI Matrix
1.3

Define policy.

  • Vendor Security Policy
1.4

Develop process.

  • Defined process

Module 2: Define Methodology

The Purpose

  • Determine methodology for assessing procurement risk.
  • Develop procedures for performing vendor security assessments.

Key Benefits Achieved

  • Standardized, repeatable methodologies for supply chain security risk assessment.

Activities

Outputs

2.1

Identify organizational security risk tolerance.

  • Security risk tolerance statement
2.2

Develop risk treatment action plans.

  • Risk treatment matrix
2.3

Define schedule for re-assessments.

2.4

Develop methodology for assessing service risk.

  • Service Risk Questionnaire

Module 3: Continue Methodology

The Purpose

  • Develop procedures for performing vendor security assessments.
  • Establish vendor inventory.

Key Benefits Achieved

  • Standardized, repeatable methodologies for supply chain security risk assessment.

Activities

Outputs

3.1

Develop vendor security questionnaire.

  • Vendor security questionnaire
3.2

Define procedures for vendor security assessments.

3.3

Customize the vendor security inventory.

  • Vendor security inventory

Module 4: Deploy Process

The Purpose

  • Define risk treatment actions.
  • Deploy the process.
  • Monitor the process.

Key Benefits Achieved

  • Understanding of how to treat different risks according to the risk tolerance.
  • Defined implementation strategy.

Activities

Outputs

4.1

Define risk treatment action plans.

  • Vendor security requirements
4.2

Develop implementation strategy.

  • Understanding of required implementation plans
4.3

Identify process metrics.

  • Metrics inventory

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

9.5/10
Overall Impact

$20,936
Average $ Saved

35
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 3-phase advisory process. You'll receive 6 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Define governance and process
  • Call #1 - Identify requirements and develop the policy.
  • Call #2 - Define the RACI matrix, process, and treatment matrix.

Guided Implementation #2 - Develop assessment methodology
  • Call #1 - Customize the Service Risk Assessment Questionnaire.
  • Call #2 - Develop vendor risk assessment methodology.

Guided Implementation #3 - Deploy and monitor process
  • Call #1 - Customize the Vendor Security Assessment Inventory and develop implementation strategy.
  • Call #2 - Develop metrics.

Contributors

Two anonymous contributors

Search Code: 87175
Last Revised: December 7, 2018

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019