KLC Third-Party Service Provider (Vendor) Risk Assessment / Management
Anytime your company does business with another company, youíre at risk. Whether itís medical to support healthcare for your employees, human resources to provide administrative functions, or wholesalers you purchase products to run your business, sensitive data sits everywhere. How you protect that information is your responsibility, and the risk of doing little or nothing outweighs the potential catastrophe you may face.
Whatís at stake? Brand reputation, financial stability, customer base, and the future of your company to name a few. Consumers are more aware than ever about the potential impact identity theft can have on their financial well being, and they have the right to have their personal information secured. Intellectual property is the heart of your business, and if itís stored on a computer Ė itís at risk.
KLC has been helping clients safeguard their data and systems for over 10 years, allowing companies to focus on what they do best.
KLC has conducted hundreds of vendor / supplier security risk assessments for a wide range of clients, including major financial and healthcare institutions. . KLC has (uses?) a defined methodology based on ISO 27001 / 27002, and NIST 800-53, or regulatory compliance assessments such as GLBA, HIPAA, PCI, Mass Privacy Regulation 201 CMR 17 and SOX.
Our methodology on Vendor Security Assessment and Management is as follows:
- 1. Understand vendor relationship and compliance requirements
- 2. Collect vendor data via Questionnaire and Perform onsite or remote vendor security review
- 3. Analyze vendor data via ISO 27002:2005 / Best Practices gap analysis and evaluate vendorís controls with industry best practice controls
- 4. Generate vendor report including executive summary, issues and recommendation
- 5. Track vendor issue resolution and follow-up
KLC consults with major financial institutions in the development of their Supplier Security Risk Management Programs. In addition, KLC possesses a wealth of knowledge about industry best practices for supplier security risk management, and has advised leading financial and healthcare companies such as Royal Bank of Scotland (RBS), Bank of America, HSBC Bank, and CVS.
When building a supplier security risk program, KLC:
- - Inventories vendors
- - Creates a program charter
- - Obtains available resources
- - Defines roles and responsibilities
- - Defines vendor security risk assessment types and associated criterias, such as:
- - Self assessment
- - Phone assessment
- - Onsite assessment
- - Defines timelines for each type of assessment
- - Defines questionnaires for each type of assessment
- - Defines issue tracking mechanisms
- - Defines key risk indicators
- - Creates management report templates
KLC specializes in developing automated vendor security risk management applications to help companies efficiently and effectively manage their supplier security risks.
KLC advises clients in using and following international security standards ISO 27001 / 27002, and government regulations including HIPAA, GLBA, SOX, PCI. We will help our clients:
- - Understand information security and network architecture
- - Interface with client audit team
- - Provide guidance on client audit response
- - Help remediate information security issues
- - Help enhance information security posture within the organization
KLC has partnered with ProcessUnity GRC Software to provide SaaS-based and automated supplier risk management. ProcessUnity software provides comprehensive tools to effectively and efficiently manage suppliers, which can range from small companies to large multi-national corporations.
Working with the correct tools, KLC can help you:
- Build a Definitive Vendor Service Catalog based on a configurable hierarchy, and keep key vendor data at your fingertips, including key contact information, fee structures, contract terms, vendor policies, performance standards, financial condition, insurance and liability coverage, data loss provisions, and document protection.
- Assess Strategic Value of Vendors and articulate the organizational, IT, financial, strategic and support-level risks based on high-level and detailed vendor risk assessments.
- Monitor Risk with Automated Questionnaire Assessments and workflow with features to provide guidance to vendors, request supporting documentation for any given question, auto-generate Issues based on responses, add analyst Findings, track Issues to resolution, create and monitor remediation Projects, and track assessment status and overdue questionnaire responses.
- Relate Risks to Vendors and the Services they Provide from the perspective of your enterprise risk universe, and initiate assessments to evaluate risk and initiate mitigation strategies.
- Securely Maintain Vendor Documentation in a centralized repository including vendor contracts, service level agreements, privacy documents, information security policies, etc.
- Increase Management Visibility by scheduling, tracking, and monitoring Vendor Risk Assessment progress. Track issues, projects, and document requests. Raise and report on findings during the assessment process.
- Provides a Flexible, Configurable Solution for custom questionnaires, allowing vendors to complete surveys online and easily submit responses electronically Ė and puts an end to managing paper forms and arrays of spreadsheets.
- Reduces Cost and Complexity of vendor assessments, creating a proactive and collaborative on-demand environment to streamline the end-to-end process for enterprises, vendors, and assessors.
- Mitigates Vendor Risk through more comprehensive, more secure, and higher quality assessments - reducing operational exposure, surprises, and losses.
With ProcessUnity Vendor Risk Management, businesses benefit from:
- A Centralized Vendor Hierarchy that captures vendor information and the services they provide, key documentation, and related risks.
- Custom Questionnaire Templates with any number of sections, questions and response types (such as yes/no, multiple choice, freeform, and a variety of numerical response types). Other features include question guidance (tooltips and sub-text), support for requesting additional comments and related documentation, auto-generated issues based on question response, analyst instructions for the review process, and configurable scoring algorithms for individual findings and the overall assessment itself.
- Import Templates to get started by preloading vendor data and existing questionnaires.
- Automated Assessment Workflow that includes questionnaire distribution, completion, and response submission. Vendors complete the questionnaires directly within the secure ProcessUnity environment, providing responses, optional comments, and the ability to easily attach supporting documentation.
- Proactive Notification and Collaboration Support provides the necessary automated communication vehicles to keep vendors and analyst teams engaged during the assessment process.
- Analyst Review allows analysts to review responses and add notes, raise issues, add findings, track status, determine remediation, and run final reports.
- Comprehensive Reporting for viewing vendor and service information including related risks, vendor assessment summary/status/timetables, Issues and Project tracking, Findings reports and charts, etc.
- A powerful custom reporting facility for unique, ad-hoc requirements.