Phase 2 of VRM: Classification

Phase 2 of VRM: Classification

Now that you've completed your vendor inventory, it's time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent…
Phase 1 of VRM: Inventory

Phase 1 of VRM: Inventory

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program. Phase…

Do You Need a Vendor Risk Management Program?

The topic of vendor risk management (VRM) is on the lips of nearly every CISO, IT Director, CTO/CIO and business owner in the country, and with good reason. Security breaches have reached near epidemic proportions and businesses don't need to…

Deviating from Information Security Recommendations

Information security recommendations are supposed to align with business priorities, but sometimes the two are not on the same page. While it's okay for businesses to make decisions independently of their information security programs, this can pose problems within your organization. Find out what you can lose by not having the two agendas aligned.

Vendor Security Risk: Simplify, Standardize and Defend

Vendor risk management is not easy. It's often a monotonous combination of spreadsheets, questionnaires, following up with people, and uncertainty. It's often frustratingly tedious, and it can actually cause otherwise strong information security programs to falter. The best relief is to take a three-step approach to vendor risk management. Simplify. Standardize. Defend.

The Four Vendor Risk Management Programs

Vendor risk management is a critical portion of every organization's information security program. Almost all organizations fit into one of four categories when it comes to managing the data risk their vendors pose— none, painful, partial, or good. Let's find out where you fit.