Follow these steps when conducting a Vendor Security Risk Assessment (SRA)-This is an actual process used by a commercial entity.
b) Copy of internal or external information security audit report
c) Information technology and security organization charts (including where) information security resides in the organization and the composition of any information security steering committees). Note – Actual names of employee is not required
d) Physical Security policy and procedures (building and / or restricted access)
e) Third-‐party security reviews/assessments/penetration tests
f) Legal clauses and conﬁdential templates for third parties
g) Topics covered in the security training program
h) Security incident handling and reporting process
j) System and network conﬁguration standards
k)System backup policy and procedures
l) Oﬀsite storage policy and procedures
m) Vulnerability and threat management scan policy and procedures.
n) Application security policy
o) Change control policy/procedures
p) Problem management policy/procedures
q) Certiﬁcation of proprietary encryption algorithms
r) Internal vulnerability assessments of systems, applications, and networks
s) System development and lifecycle (SDLC) process document
t) Business continuity plan (BCP) and / or Disaster recovery plan
u) Most recent BCP/DR test dates and results
v) Most recent SOC report
w) Privacy policies (internal, external, web)
5. Request additional documentation from the vendor if necessary
6. The SRA Analyst will look through the documentation and report on the following areas:
7. During the assessment process, if the SRA Analyst identiﬁes a risk it will be reported along with a recommended remediation activity to ﬁx the issue.
8. Upon completion of the initial assessment, the SRA will set up a peer review meeting to vet the results of the risk assessment. Any issues found within the report are noted and corrected prior to completing the report and submitting it for signature
9. After the SRA Manager approves the Vendor SRA, the SRA analyst emails the latest SRA draft to Vendor Risk Management (VRM), who is responsible for ﬁnalizing the VRM aggregated report from Information Security, Privacy and Enterprise Business Continuity.
10.VRM will conduct a ﬁnal close-‐out meeting occurs with the vendor and the assessment is closed.