To optimize business operations, organizations depend on a range of IT vendors, including cloud service providers, data analysts, and payment processors. These vendors often have access to sensitive business insights and customer data, including personally identifiable Information (PII), non-public personal information (NPI), personally identifiable financial information (PFI), protected health information (PHI), and cardholder data (CHD). Therefore, a data breach or other such adverse incident at a vendor firm can have catastrophic consequences.
Overall, IT vendor risks can result either from the vendor’s internal environment (e.g. security infrastructure, financial viability) or external environment (e.g. fourth parties, local and global compliance requirements). To keep these risks in check, various regulations like HIPAA, as well as mandates from the FDIC1, require that organizations have well-defined vendor management programs.
With the complexity, scale, and scope of IT vendor relationships increasing, organizations need to have efficient vendor monitoring and assessment mechanisms. IT vendor risks should be identified early on, and then evaluated and mitigated proactively to minimize business disruptions, as well as to optimize performance. To meet these requirements, many organizations are adopting robust vendor risk management solutions.Download Solution Brief
Metricstream IT Vendor Risk Management Solution
The MetricStream IT Vendor Risk Management Solution delivers comprehensive visibility into the vendor ecosystem, enabling organizations to manage vendor risks in a streamlined and consistent manner. The solution supports vendor information management, vendor risk assessments, continuous vendor monitoring, and risk mitigation. It also helps evaluate vendors in line with internal and external compliance requirements during pre-qualification processes, as well as on a continuous basis.
As the IT vendor base expands, the solution scales up to provide an in-depth view of the risks in vendor relationships. It also saves time, resources, and costs by helping users efficiently prioritize vendors for risk assessments and mitigation based on risk categories, criticality, and other factors.
HIPAA – Health Insurance Portability and Accountability Act; FDIC - Federal Deposit Insurance Corporation
Source: Customer responses and GRC Journey Business Value Calculator
GLBA - Gramm-Leach-Bliley Act; PCI-DSS - Payment Card Industry Data Security Standard; HITECH Act - Health Information Technology for Economic and Clinical Health Act
80%Reduction in vendor onboarding time
50%Reduction in the time and costs required to complete vendor assessments, and to identify risk2
Sustained compliance with the latest regulatory requirements and industry standards
Fewer vendor risk incidents and stronger business resilience with the help of accurate insights on vendors and their risk impact
Improved vendor consolidation and rationalization, as well as visibility into the businesses, assets, spend, and risk exposure associated with each vendor
Enhanced awareness of vendor and fourth party security profiles and risks through the ability to validate vendor information with leading content providers
Document and maintain information on IT vendors, including company profiles, IT assets, key contacts, associated business units, products/services, contracts, certifications, spend, country, performance scores, access to sensitive information, bank information, fourth parties, and risk or compliance issues.
Enable the database to be securely accessed by authorized internal users, as well as vendors across geographies. Through a self-service page, allow vendors to edit their profile, upload documentation, and respond to assessments, issues, and action plans.
Enable users to view, search, and manage vendor information on the solution’s intuitive vendor profile page. Leverage the page to trigger actions such as vendor assessments, issue investigation, termination, subscriptions to alerts, due diligence, and profile updates.
Onboarding Due Diligence
Automate screening and onboarding workflows for different types of IT vendors. Segregate critical and non-critical vendors by assessing their level of access to sensitive information like PII, PHI, etc.
Enable a structured process to qualify, segment, and rank vendors based on multiple attributes, including product or service category, country, annual spend, and revenue. Trigger due diligence assessments and audits based on pre-defined rules.
Validate vendor information and ratings with the help of alerts from reliable internal or external sources. Based on vendor categories, define the frequency of ongoing monitoring activities.
Just as in the onboarding stage, integrate with feeds from industry content providers to validate information on IT vendors, and gain insights into their risk and compliance status. Source information on grades, rating, and ranking to keep track of vendor and fourth-party security, unsolicited communication, potentially exploited firms, botnet infections, malware servers, spam propagation, file sharing, and data breaches.
In addition, gather data on politically exposed persons (PEPs), sanction lists, special interest persons (SIPs), state owned enterprises, adverse media listings, financial status, credit rating, regulatory compliance, and sustainability ratings – all of which are useful in monitoring vendors.
Subscribe to vendor related alerts based on the risk rating or criticality of each vendor. Review the alerts, and risk rate vendors accordingly. Also perform risk assessments, and log issues for remediation.
Periodic Risk Assessment
Identify the level of risk associated with each IT vendor, contract, and service. Adopt a risk-based approach to ensure that appropriate time, effort, and costs are allocated to each vendor risk bracket.
Enable risk assessments based on various risk types (e.g. reputation risk, financial risk, strategic risk, bribery/ corruption risk, legal risk, IT risk, sustainability risk, business continuity risk, and information security risk). Modify the built-in risk assessment templates to suit business needs. For periodic assessments, prioritize tasks based on vendor criticality, rating, tier, and date last assessed.
Enable vendors to view and respond to their assessment results through a self-service page. Automate the calculation of risk scores based on vendor responses, and determine the overall vendor risk posture.
Identify, measure, and monitor the compliance status of IT vendors in a structured manner. Design and conduct compliance assessments and surveys based on internal policies as well as external regulations. Assess vendor compliance with information security regulations such as PCI-DSS, HIPAA, GLBA, and the HITECH Act3. Enable a preliminary evaluation of vendor security. Conduct deep-dive assessments with the help of the Shared Assessments Standardized Information Gathering (SIG) questionnaires A-Z. Collect vendor attestations and certifications indicating compliance.
Issue and Exception Management
Capture vendor issues and exceptions, and enable investigations to determine their root cause. Manage both interim containment actions and long-term corrective/ preventive actions. Confirm the effectiveness of the remediation action in preventing the recurrence of the problem. Terminate and off-board vendors in a structured manner in the event of contract breaches or expiration, as well as dissatisfaction with vendor services, or incidents of non-compliance.