<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Building Your Third-Party Continuous Monitoring Plan: 3 Steps You Can't Ignore

Patrick Puentes | November 9, 2017

In today’s security climate, talk of proper cybersecurity procedures must include discussion of a continuous monitoring plan that applies both internally and externally (with the company’s third-party vendors). And while continuous monitoring is critical to the health and well-being of your company, it’s also incredibly challenging to do.

Organizations that have successfully implemented continuous monitoring programs did so by:

  • Identifying the data to be protected.
  • Creating a process for patching security vulnerabilities regularly.
  • Ensuring endpoints are consistently monitored.
  • Creating a process for identifying any changes in user behavior within the organization.

But this list of best practices (you can read more about them here) isn’t complete without also ensuring that vendors and other third parties act appropriately when coming in contact with or handling sensitive data (or the sensitive data of customers)—which is where a proactive continuous monitoring system like BitSight becomes critical.

Our continuous monitoring system enables you to evaluate potential vendors based on their security posture, and, once onboarded, to receive immediate notifications if a vendor’s security posture changes.

Below are three steps we recommend when you’re setting your continuous monitoring plan, and how using Security Ratings can assist with each step:

1. Inventory and tier your vendors.

To protect your data you need 1) a complete list of all your vendors, 2) knowledge of every vendor’s level of access, and 3) an understanding of which vendors pose the most risk to your organization. There are several factors that should be considered when determining level of risk, including the amount of access they have to your data, the criticality of the data they have access to, and how critical their work is to your daily operations. Determining vendor criticality could be a lengthy process, depending on the maturity of your organization and the number of vendors you have.

We recommend assigning risk priority to vendors (high, medium, and low or 1, 2, and 3) based on the severity of the impact a breach would have on your organization. If you’re using Security Ratings, we recommend sorting the subsets of vendors into designated folders, and setting separate alerts for each folder based on the security requirements you’ve assigned to each tier.

2. Create a continuous monitoring communication plan.

Once you’ve reviewed all your vendors’ Security Ratings and tiered them according to criticality, you’ll need to let vendors know how they’re being evaluated, monitored, and measured.

We recommend that your communication plan includes the following:

  • An initial email to vendors. This email should inform them of the relationship your organization has with BitSight so they know they’re being continuously monitored—and aren’t surprised if you reach out in the future to communicate a need for them to improve their rating.
  • A trigger to send the Enable Vendor Access (EVA) feature. If a vendor isn’t performing to the standards you’ve set, you’ll want to ensure they have BitSight access. This allows them to see their Security Rating and recommendations on how to bring it up to the level you’ve designated for their tier. Vendors will likely appreciate this insight, as it grants them access to highly valuable data they wouldn’t otherwise have access to.

3. Run a pilot of your continuous monitoring plan, then roll it out across all vendors.

Run through your communication plan with a pilot group of vendors. This helps ensure the lines of communication are clear, questions from your vendors are answered, and any issues are resolved before the plan is rolled out to your entire vendor inventory.

Finally, don’t forget about positive vendor feedback.

Having a stringent third-party continuous monitoring program is great, but such programs tend to focus on the times your vendors are not performing to your expectations. This is important, but be sure to take time to reach out to vendors who are performing positively as well. Not only will it encourage them to continue the best practices they have in place, but it also strengthens the overall vendor relationship.

Looking for more tips on how to create your third-party continuous monitoring program? This free webinar outlines six important lessons—watch it today!

Suggested Posts

Cybersecurity and Banking: 3 Trends to Watch in 2019

Banks have always been at the forefront of enterprise cybersecurity. Their enormous stores of cash and consumer data have made them a top target for hackers, and the threat of financial losses, regulatory consequences, and reputational...

READ MORE »

Improve IT Vendor Monitoring with Data-Driven Conversations

Businesses are becoming increasingly reliant on outsourced IT services to support day-to-day operations.

READ MORE »

3 Surprising Ways Supply Chain Cybersecurity Can Impact Retailers

Retail operations, whether in-store or online, rely on a long chain of connections between third parties. When attackers target one of these third parties, they can wreak havoc on the supply chain, affecting business operations up and down...

READ MORE »

Subscribe to get security news and updates in your inbox.