Vendor management is either extremely time and resource intensive, or is handled by systems which do not consider the operational context and the nature of risk presented by a third party.
Several years ago, the OccamSec team was presented with the task of performing a large number of vendor assessments. These were being conducted manually and utilizing considerable resources, which was amounting to a large cost to the client. Our team created a portal (The Vendor Assessment Portal, or VAP) for handling the bulk of the work. The portal provides an effective way to assess the risk posed by vendors, and is based on feedback from our clients and our own experiences. The system is also flexible and is able to accommodate different risk tolerances across organizations.
In the case of this industrial client a formalized assessment approach was agreed upon and the importance of various aspects to the client identified. VAP was configured to take account of this ranking and then assessments began. Each assessment required some human analysis, primarily around determining if the security controls in use by the vendor were actually effective.
VAP sits within the larger ecosystem of OccamSec services so benefits from work done elsewhere. For example in the case of the industrial client, some vendors would not respond to the assessment. In these instances the Identify team would collect data on the vendor and perform an assessment based on known data/intelligence.