Follow these steps when conducting a Vendor Security Risk Assessment (SRA)-This is an actual process used by a commercial entity.
b) Copy of internal or external information security audit report
c) Information technology and security organization charts (including where) information security resides in the organization and the composition of any information security steering committees). Note – Actual names of employee is not required
d) Physical Security policy and procedures (building and / or restricted access)
e) Third-‐party security reviews/assessments/penetration tests
f) Legal clauses and confidential templates for third parties
g) Topics covered in the security training program
h) Security incident handling and reporting process
j) System and network configuration standards
k)System backup policy and procedures
l) Offsite storage policy and procedures
m) Vulnerability and threat management scan policy and procedures.
n) Application security policy
o) Change control policy/procedures
p) Problem management policy/procedures
q) Certification of proprietary encryption algorithms
r) Internal vulnerability assessments of systems, applications, and networks
s) System development and lifecycle (SDLC) process document
t) Business continuity plan (BCP) and / or Disaster recovery plan
u) Most recent BCP/DR test dates and results
v) Most recent SOC report
w) Privacy policies (internal, external, web)
5. Request additional documentation from the vendor if necessary
6. The SRA Analyst will look through the documentation and report on the following areas:
7. During the assessment process, if the SRA Analyst identifies a risk it will be reported along with a recommended remediation activity to fix the issue.
8. Upon completion of the initial assessment, the SRA will set up a peer review meeting to vet the results of the risk assessment. Any issues found within the report are noted and corrected prior to completing the report and submitting it for signature
9. After the SRA Manager approves the Vendor SRA, the SRA analyst emails the latest SRA draft to Vendor Risk Management (VRM), who is responsible for finalizing the VRM aggregated report from Information Security, Privacy and Enterprise Business Continuity.
10.VRM will conduct a final close-‐out meeting occurs with the vendor and the assessment is closed.