How to know if you should fire a vendor

How To Know If You Should “Fire” a Vendor

It is usually extremely hard to fire a vendor that the business wants to work with. If you have the authority to pull that trigger, then I would advise using it sparingly. We enlist the business to help us get the assessment results back if needed, and we prefer to push them into remediation rather than firing them. VENDEFENSE makes remediation really easy, so we prefer to just build remediation plans they can work on. That way everyone is winning!
Checklist For Vendor Risk Management

The Ultimate Checklist For Vendor Risk Management

Within a busy organization, vendor risk management (VRM) can feel like an ideal concept, but can also seem far out of reach. Armed with a vendor risk management checklist and VRM software, like VENDEFENSE, establishing a VRM program is well within grasp and can take less time, energy, and resources than expected. The first step to creating a VRM program is to develop a plan.
Vendor Risk Management and NIST

Vendor Risk Management and NIST

The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013. This voluntary guidance is based on existing standards, guidelines, and practices to help organizations better manage and reduce Information Security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders.
Places to get

6 Places You Can Get Your Full Vendor List

Part of any vendor risk management program involves putting together a list of vendors. Sometimes this information can be scattered across an organization, and it takes some real wrangling to collect it all. This is why software programs like VENDEFENSE® are convenient- because they help create a centralized list of vendors that are easy to update as necessary.
Get Your Full Vendor List

How to Get Your Full Vendor List

First, let’s start with the question, “why do I need to manage all vendors?” We get asked this question all the time. If you have a vendor risk management program at all then you likely aren’t managing all your vendors, just the ones you think are important. That’s a reasonable thought process, but there are some potential issues that arise with it.
Vendor Risk Management Strategy

Vendor Risk Management Strategy

People are not inherently good at defining strategies. This is a problem. The problem is worse when considering information security strategy, and more worse when considering vendor (and third-party) security risk management strategy. These assertions come from observations made over more than 25 years, working with a wide variety of organizations.
Vendor RIsk Management Roles and Responsibilities

Vendor Risk Management Roles and Responsibilities

The experts spend a lot of time describing how organization should be doing Vendor Risk Management (VRM) but they tend to overlook a critical factor – mainly, who should be doing VRM within organizations. The push for information security VRM is relatively new, and as a result, responsible parties are ill-defined with the role of Vendor Risk Manager not formalized in many organizations. The mix of personnel overseeing VRM programs is truly varied, ranging from security analysts, IT directors, compliance departments, CISOs, etc.
Vendor RIsk Management Goals

Vendor Risk Management Goals

It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position.
Vendor RIsk Management Reporting

Vendor Risk Management Reporting

For most organizations, measuring vendor risk management is extremely difficult, if not, impossible. That’s because they’re either doing nothing to manage vendor security risk or they are using a method that isn’t conducive to measurement.