Every vendor that your organization does business with must be included in the third-party inventory. It’s not that every vendor poses a significant risk; it’s that you must show your due diligence regardless.
Next, begin to narrow your focus on the vendors who pose the most risk to your organization. You do this by classifying all vendors as high, medium or low risk. Risk is determined by their access to information and how critical that information is.
Now that you know all the vendors’ potential impact, medium- and high-risk vendors must demonstrate what safeguards they have in place by completing a FISASCORE self-assessment. This will determine their residual risk, which is the remaining risk that must be addressed.
Some percentage of your vendors will pose an unacceptable information security risk to your organization. You won’t know what percentage, or what to do about it, without reaching this part of the process. You must establish objective thresholds for information security risk for vendors and treat them appropriately.
It’s not enough to just assess risk; risk must be processed and mitigated. For those vendors that you selected “Remediate,” VENDEFENSE automatically generates a remediation plan based on the low-scoring areas of their FISASCORE assessment. As vendors remediate vulnerabilities, their information security posture improves and so does their FISASCORE.
The power of VENDEFENSE lies in its intuitive dashboard that allows you to see all your vendors at once, identify the overall risk exposure of your organization, and pinpoint where in your organization the risk is coming from.
*Based on customer feedback