Compliance in the Age of Cloud

3 Key Components to Mitigate Vendor Risk

August 20, 2020 11:00 AM

Running a business “in the cloud” was once reserved for innovators and large enterprises, but now nearly every business on the internet is operating in the cloud. As companies rely on an ever-growing stack of SaaS vendors, it presents new challenges for compliance and risk management, but also new opportunities to simplify compliance management. In an age where your data lives across thousands of servers, how can you be sure you’re covered from unnecessary risk? At the same time, because your information is stored in the cloud, it’s never been easier to automate asset management, evidence collection, and other typically tedious tasks.

Click below to watch this webinar on demand, and learn:

  1. The new considerations for managing vendor risk
  2. Tools and processes organizations are currently using to manage vendors
  3. A framework for identifying your vendor management "maturity"
  4. Practical advice for leveling up your vendor management sophistication

Presented by

Joe Veroneau
Joe Veroneau
Trust & Security


Kyle Brasseur (00:01):

Hello, and welcome to today's webcast, brought to you by Compliance Week and Conveyor. I'm Kyle Brasseur with Compliance Week and I'll be your host. Today's webcast is Compliance in the Age of Cloud: Three Key Components to Mitigate Vendor Risk. Before we hear from our presenters, let me review the agenda. We're scheduled to go for one hour. After the presentation, we will have a question and answer session. Your questions will be kept confidential and anonymous, so please don't be shy. You can ask your questions at any time using the Ask a Question function on the left-hand side of your screen and I'll pose them to our guests at the end of their presentation. After the Q&A, I'll wrap up the webcast.

Kyle Brasseur (00:38):

This webcast will also offer CPE credit for all attendees. Please be sure you're using either Google Chrome or Firefox as your internet browser and that you've disabled your pop-up blockers in order to access the exam. Once I have signed off and the webcast is completely over, the final examination will be presented automatically in a separate window. If you have trouble viewing the CPE test or receiving the CPE certificate, please send an email to webcast@complianceweek.com. Again, to ensure receipt of your CPE credit, please be sure you are using Google Chrome or Firefox as your internet browser. If you've missed anything, I'll repeat these instructions at the end of the webcast, so stay tuned.

Kyle Brasseur (01:13):

A few other administrative details. At any time during the presentation, listeners can download the slides from the drop down menu on the left-hand side of the screen. There, you will also find the feedback form to the webcast. We welcome your thoughts as we are always looking to improve your experience. If you wish to increase the slide size, you can also hit the view slide full screen button at the top right of your screen. And lastly, a help button is located in the upper right-hand corner of your screen for assistance.

Kyle Brasseur (01:39):

I'd like to welcome today's speakers. It is my pleasure to introduce Joe Veroneau. As a member of the Data Protection Advisory team at Conveyor, Joe advises companies of all shapes and sizes on their journey to GRC maturity. He also supports Conveyor's SOC 2, ISO 207001, and HITRUST programs. He loves being able to think about big picture strategies while still getting into operational details. Joe is a graduate of Boston College with a degree in Operations Management.

Kyle Brasseur (02:04):

We also have Jeff Lesser. Jeff is a product marketing leader at Conveyor responsible for bringing products to market successfully. He has been involved in Cannes-award winning marketing initiatives and lead product marketing teams for B2B and B2C products. Jeff is a Boulder, Colorado native and a graduate of the University of Colorado, Boulder with a degree in Economics.

Kyle Brasseur (02:22):

It's great to have you all with us and with that I will turn it over to Jeff to get us started.

Jeff Lesser (02:29):

Thanks Kyle and thanks everyone for tuning in today. Just a quick overview of our agenda, we're going to first cover the cloud era of compliance and how this matters for your risk management, vendor risk management program. We're going to get into the challenges with vendor risk management and some details of vendor risk management. We'll follow that with a maturity model that we've developed around vendor risk and then lastly, we're going to follow up with some free resources as next steps that you can use, both educational resources and tools to improve your vendor risk management and maturity.

Jeff Lesser (03:02):

So, let's start by talking about the cloud era of compliance. I think what's interesting about where we're at today is that it has this trajectory that has followed the trajectory of the internet. So early in the era of the internet there was data networking that was really about connecting two computers and giving data the flow between the two of them. Shortly after that, became the era of data sharing which was really led by scholarly institutions trying to share data sets with each other and schools saying: "Hey, can we share these large data sets with each other and find value in that?"

Jeff Lesser (03:38):

Shortly after that, that led to a bunch of companies recognizing that they could monetize data and that led to an era of data aggregation in the 2000s. And since then we've sort of entered into this consciousness around data protection, and with all this data that is now flowing around on the internet between all these different entities, data security and privacy and protection is really the era that we're at in terms of data consciousness.

Jeff Lesser (04:04):

The technology also evolved along with this sort of trajectory of the internet and the data consciousness. So in the early days of the internet when there was data sharing, it was all about having on-premise data and taking your data and sharing it to someone else, who then would store that data on premise. As data aggregation became more of a thing, hybrid environments evolved so that your data was both stored on premise and in these cloud environments. And now we're in an era where basically companies are existing entirely with cloud data and they don't hold any of the data themselves. And this leads to a environment where they use a lot of different vendors who are also housing their data and the data of their customers entirely in the cloud.

Jeff Lesser (04:52):

So this evolution for this data security has meant that these companies, typically software and service companies have sprawled. And this has meant that vendor lists have increased and the compliance complexity has grown exponentially. We talk about this in terms of SaaS sprawl. In a survey of a thousand companies, 68% said that they were mostly or completely driven by SaaS and didn't have any of the data themselves. 23% said that they were entirely driven by SaaS, and only 9% said that they had little to no SaaS adoption.

Jeff Lesser (05:30):

So this proliferation of SaaS services has led to a unique challenge in the vendor risk management process for companies. And what we see is that this is only accelerating. We're only at the beginning stage of this SaaS sprawl. There's 30% increase in the unique number of apps in usage per company year over year. And that becomes compounded by the size of your company. So larger companies are having a larger amount of SaaS usage than smaller companies are. This leads to a bunch of different challenges in your vendor risk management which we're going to cover today.

Jeff Lesser (06:10):

Before we jump into details of those challenges, we'd love to just start with a quick survey of the audience and get a take of what your challenges are in vendor risk management. So should we just sent out a survey for everyone to participate with? The question is what is your biggest challenge with vendor risk management? And there's a number of different options for you to choose from in terms of your challenges.

Jeff Lesser (06:48):

I'll just give everyone a minute here to respond. Okay, looks like we've got some data back. We'll wait a little bit longer here. As a reminder, the question or the answers are getting information from vendors, determining vendor risk, vendor onboarding, maintaining vendor inventory information, ongoing vendor reviews, and terminating vendors as the potential challenges for this survey.

Jeff Lesser (07:26):

Great. Looks like we've got some results worth sharing, so I'll send the results to the audience. And it looks like the biggest challenges that people have identified are determining vendor risk. Almost 30% of people had that as a challenge. There was also ongoing vendor reviews as a big challenge posed and getting information from vendors was also a large challenge. So that's great. We'll talk about some of those things today for sure.

Jeff Lesser (07:54):

At this point I'd love to turn it over to Joe who's going to talk about those challenges in vendor risk.

Joe Veroneau (08:00):

Awesome. Thanks Jeff. I think one thing that really stands out to me from the data consciousness piece is that once you see the problem, you have to take action on it, and particularly moving to the cloud, historically the cyber security piece who's managing your own house internally and keeping your data safe and secure, but the more processors and handlers of data that enter into the picture, the scope of your security program needs to really expand so broadly. And I think that's where a lot of the challenge with vendor risk management comes into play, that your own internal security program has more threats and more technologies in place today, as well as external requirements. But then multiply that by all of the other organizations that are supporting your program and you're relying on to protect that information. So you really ... It's hard enough to run your own security program, but now you're needing to understand the security programs and the risk postures of all the different vendors you're working with.

Joe Veroneau (08:56):

I mean obviously that really stands out with that SaaS sprawl piece, is that 30% year over year growth in terms of the number of SaaS systems that organizations are relying on. And so if you don't have that strong vendor management process in place today, you're continuing to add more and more vendors into a broken process. And I like to think of that almost like the game of Tetris, that once the blocks start to stack up and you are out of sync, all of a sudden it becomes unwieldy very quickly. So I think one of the pieces that we hope to have as a takeaway from the presentation today is some repeatable processes you can implement to know how to move vendors through your vendor risk management process and focus on the areas of highest risk and making sure that it's not a broken process that's weighed down with no repeatable way to onboard and monitor vendors.

Joe Veroneau (09:42):

I think the other big challenge with vendor management is that it is the double-edged sword that you are running your security and compliance program internally and needing to communicate that out to your customers, but also needing to learn about your vendor security programs. It can be the stressful almost game of go fish where you're asking for documents from your vendors but your customers are asking about your security program. And then there's also this power dynamic both internally that end users are wanting new services and applications to work with and have timelines to achieve their business objectives with these SaaS systems, but also wanting to make sure that you go through the necessary steps to successfully onboard those vendors. So there's just a lot of play in the scale of SaaS systems, particularly even in the current work from home and remote environments would imagine that the velocity of SaaS adoption is just continuing to increase. So setting some solid foundations is important to be able to build repeatable process in the future.

Joe Veroneau (10:48):

The additional piece that really makes this challenging is the framework fatigue and kind of the number of opinions and regulations that are out there in terms of how a vendor onboarding process should function or a vendor management process should function within your security program. So that just a small subset of the frameworks and regulations that are out there today in terms of what the inputs for your security program or your vendor risk management program can be. I think the frameworks provide a few different things. One is a way to see the world and a way for you to structure your programs. It's also a way to communicate externally to your customers, to your leadership and stakeholders about how you are managing vendor risk today, and there are again, a lot of different ways that a program can be structured.

Joe Veroneau (11:34):

SOC 2 has eight points of focus and CC 9.2. I think it's particularly interesting one to call out is the communication protocol, to really determining how do we communicate with vendors, both when they're getting onboarded, as well as when there's issues and challenges or at renewal. ISO 27001 and Annex 15 has five controls to focus on. One that stands out for me is the security within agreements which gets down to how are we outlining the contractual requirements for security with our vendors, and really ultimately means that there's likely more than just the security or risk team that needs to be at the table. It's also now a legal or a privacy issue in terms of determining what are we making into our contractual agreements with customers or, excuse me, with our vendors.

Joe Veroneau (12:20):

And then NIST particularly within the cyber security framework. I think this is a particularly interesting one in the context of the evolution that Jeff discussed with the original version of the NIST cyber security framework in 2014 didn't really cover vendor management much at all. It was really focused on your internal cyber security program managing a security risk. But with the updates in 2018 and version 1.1 really shifting to include five sub-categories for supply chain management, one that stands out is the response and recovery with your vendor, so determining for these critical suppliers that are managing and processing your data if there's availability issues how are you getting back online and considering the security implications of vendors that you're relying on, all of those sitting in the identify section within the NIST cyber security framework.

Joe Veroneau (13:15):

I think these three give ... I think one of the challenges is that they're each kind of baked into their own section within a framework, and it's maybe hard to see how the full process works end to end. And that's why I'd like to call out COBIT 2019 and the updates that were released last year with the five management practices related to managing your vendors. I think COBIT does a great job of outlining what does a process look like for actually repeatably managing vendors and having some element of maturity in there as well, that there are some best in breed or number one top most mature practices as it relates to vendor management in managing your vendor risk, but there's also some baseline steps that should be in place for all organizations.

Joe Veroneau (13:57):

So when it comes to really thinking about what is a process we can implement for understanding our vendors, onboarding our vendors and managing that risk long-term, COBIT I think has some really strong takeaways. I think it's also nice that it's not necessarily something that you'll be certifying against or needing to deliver out to customers. So you're able to pick and choose pieces that resonate with your organization and not implement all five AnnexA controls as the opposite example where you really want to be implementing everything within the iso 27001 framework.

Joe Veroneau (14:29):

I think COBIT really helps also paint the picture of it takes a village to manage vendor risk at an organization. It can't just be the security team or the risk team that's managing vendors. Really everyone at the organization at the end of the day has some type of responsibility or accountability as it relates to vendor management.

Joe Veroneau (14:46):

And then finally the 6,000-pound gorilla in the room. If anyone has worked with the HITRUST framework or has pursued HITRUST certification, over 20 requirements listed there, and also having an element of maturity assessment as it relates to those requirements. One that particularly stands out is accessing or managing vendor access to your systems, so treating your vendors that may be accessing certain systems or accessing your internal environments and monitoring their access, removing when the vendor is off-boarded. HITRUST is definitely getting pretty prescriptive in terms of some of the components that need to be included in your vendor risk management processes.

Joe Veroneau (15:27):

I do want to dig in just a little bit more on the COBIT 2019 framework, and I think they give some great examples of how you can implement repeatable processes at your organization that have responsibility and accountability defined. Again, I guess a little bit of a double-edged sword, that you need many people at the table to make a vendor management process work effectively and be repeatable and great in the business long term. So again, COBIT 2019 as a potential resource to review after this presentation or to include in your process planning at your organization will really outline all of the steps of vendor management from identifying and evaluating vendors down to monitoring their performance and compliance and outlining some common positions or common structures within your organization that may be involved in this process.

Joe Veroneau (16:17):

You may not have all these departments and functions defined and it's not one-size-fits-all solution, but this type of visual I think can be really helpful for building and designing a repeatable process at your organization.

Joe Veroneau (16:31):

And with that we will transition to focus a little bit more on our view of vendor risk management and a repeatable process in terms of laying out how do we manage our vendor risk long-term. And what we have on the screen here is a visual of the four steps that we would see. So aligning pretty closely with the five buckets that are outlined in COBIT 2019.

Joe Veroneau (16:55):

So every vendor that comes on board to your organization should go through a screening process. And then once that vendor is selected, onboarded, and then moving through a vendor monitoring and review. And then considering when that relationship comes to an end and what are the steps that need to happen. Also, you're outlining kind of the cyclical nature that if a vendor is being off-boarded or terminated, they're potentially still a business need that was being filled by that vendor determining do we need to replace them with another vendor or continue to rely more heavily on a vendor that's providing a similar service. So there is that cyclical nature as well.

Joe Veroneau (17:32):

The first step that we'll dig in on here is the vendor selection piece. And I think one way to really view vendor selection is there's the explicit components of vendor selection that are pretty easy to see, like a security certification. So if a vendor has an ISO 27001 certification or a SOC 2 certification, that may make you more comfortable with moving forward with that vendor or prioritize a vendor that has a more explicit security posture.

Joe Veroneau (18:06):

There's also the more implicit pieces of how easy is it to actually get this information from the vendor and how transparent are they with their processes. So do they have just a generic security page that has the AICPA logo on it that they have SOC 2 type 2, or they are transparently sharing the information that they've collected about their security programs and building that trust with you early on.

Joe Veroneau (18:30):

One selection document that I think can be really helpful is looking at penetration tests and determining either what looking at the vendor certification reports to see how they manage their vulnerability management and penetration testing program, or potentially receiving a redacted copy of their most recent penetration test because I think at the end of the day that's how you see does this organization actually dedicate the financial resources to go through an annual penetration test and then ultimately are they taking action on the results of those penetration tests.

Joe Veroneau (19:03):

We've done vendor reviews and been a part of onboarding in the past where it's maybe a less mature organization they haven't fully obtained a SOC 2 certification yet or an ISO 27001 certification, but they're able to demonstrate that we've gone through an annual penetration test and we have the capabilities internally to respond to the issues and the vulnerabilities that are identified as a part of those penetration tests. I think that goes a long way with that implicit or building transparency and trust.

Joe Veroneau (19:31):

The other piece is the security questionnaires. And this is one where there's just so many different ways to skin the cat in terms of standard information gathering questionnaires of the cake. Even some organizations that maybe don't have a formal vendor security questionnaire process today or don't have the certifications are actually just leading with their own pre-filled certifications that ... their pre-filled questionnaires that they're actually sending to vendors as a part of the selection process. And recently worked with onboarding a vendor that proactively sent a populated questionnaire that they had filled in for another organization and really wanted to be transparent and straightforward that hey, we don't have a SOC 2 type 2 today. We're pursuing it, but here's how we manage our security program today and being open to that selection and onboarding conversation.

Joe Veroneau (20:25):

Once you've landed on a vendor that we're ready to sign the documents and move forward with bringing this vendor into our environment and our infrastructure, that's where we move on to step two which is really the vendor onboarding process. And I think that's really where that racy model from COBIT 19 is important that, it's not just one individual that can fully onboard and bring a vendor into your environment. There are some of the administrative pieces of adding it to an inventory, whether that's in a GRC system or within a centralized document management system, and getting the files documented appropriately in terms of their security questionnaire or their penetration tests, their SOC 2 certifications so you can compile all that evidence and be able to demonstrate looking backwards that we've completed the necessary steps that are outlined in our frameworks or within our internal policies and controls.

Joe Veroneau (21:17):

The one I want to talk about here really is the risk rating which wasn't part of the survey was highlighted that risk rating of vendors and understanding the risk levels is very challenging. I mean I think there's two practices that we start to see here. One is having an overall rating for the vendor. And these can be pretty complex. We've seen organizations that have a dozen different characteristics in terms of geographic location and the amount of data that's being sent to the vendor, the spend, really building a complex calculation to try to weight the vendor in terms of what business units they're supporting or the availability risks. Others just having more of a few characteristics that help to determine is this high risk or low risk, and then for the higher risk vendors making sure you're spending more time evaluating really what are the risks that introducing this vendor into our environment brings.

Joe Veroneau (22:09):

And that's where we talk about potentially logging individual risks. An example that comes to mind is you're working with a log provider, someone's going to be aggregating a lot of logs from your systems. There's a particular risk that may need to be logged in your overall enterprise risk register that everything we're logging is getting sent to this third-party SaaS provider, all the data that's shooting out of the exhaust pipes of all of our applications. And that's a significant risk in terms of what data may be in those logs. So more closely monitoring that vendor or determining is it longer term, something that we need to bring this logging in house to terminate that risk or include additional contractual and legal stipulations with the vendor in terms of entering into a VAA or entering into more stringent contract language based on the data that they'll be storing and processing.

Joe Veroneau (23:05):

The next is also logging gaps and remediations as a part of those risks. So if you do the review of a vendor and you need to move forward with them but there are some red flags, whether they don't have a security certification today but they're planning on obtaining SOC 2 in the future, logging that is something that you follow up with the vendor on as a part of the review or logging deficiencies that you've identified within their certification reports. Having some way to know when it comes time for that review with the vendor, what are we going to check in on, what is the progress of closing out the open vulnerability from the vulnerability scan you shared? So really thinking of what data or what pieces are we going to actually focus on during our review.

Joe Veroneau (23:47):

And then the final piece here is mapping these documents and the data to the different controls. So having a way to indicate that this repository of SOC 2 reports or this list of vendors are really in scope for our HITRUST certification and are mapped back to these requirements within HITRUST, and building your vendor management processes in a way that you're able to easily demonstrate to an auditor, to an external body that we've actually implemented what's in our controls and here's how we can facilitate that audit walkthrough a conversation. So collecting this information and structuring it in a way that facilitates or lends itself to facilitating a conversation with an auditor or an external audience.

Joe Veroneau (24:32):

The next slide we have is looking more broadly at just three general topics that we like to think about at Conveyor in terms of tools in the toolbox as it relates to vendor management. And that is integrate, automate, act, and in particular integrating is trying to pull as much data that's related to your vendor management processes into one central location. So that's the vendors themselves and the associated documentation, as well as characteristics of those SaaS systems that vendors may be providing and what is the business use of that particular SaaS application, what are the risks related to that particular SaaS application? And then having some ... a way to automate or flag items that need additional action, whether that's triggering an onboarding task when a vendor gets integrated into a centralized system or when a vendor is moved to inactive, making sure that an off-boarding process is triggered.

Joe Veroneau (25:27):

I think the goal here is creating that single pane of glass to see here's our vendor inventory, here's how it touches or interacts with our business, and then here are the actions that we need to be taking based on what we've identified within that system.

Joe Veroneau (25:40):

Jeff, I'm curious from the integrate, automate, act perspective if there's anything else that comes to mind for you here?

Jeff Lesser (25:51):

Yeah. I think what's interesting about the opportunity with integrate and automate and act is that the manual processes that happen in compliance are really where the frustration and the challenges occur. There's both the challenge of these tasks are menial and time-consuming, but also they're error-prone. And so the more that you can automate those types of tasks and reduce the amount of manual time that's spent on them and the amount of errors that happens from them, it improves your compliance program overall. So we know a lot of compliance programs like the top level of maturity, which we'll talk about later, is really like optimizing and improving, continuously improving your program. And I think automation is one of those ways that makes you more effective in what you're doing, but also ticks that box of the highest level of maturity.

Joe Veroneau (26:46):

Awesome. Thanks Jeff.

Joe Veroneau (26:49):

And we do have a great question that came in here that I think we can take a second to discuss. The question that came in is: What do you say about bouncing the building of trust through transparency and not handing over the keys to the kingdom if a vendor provides all the information about their security policies? Aren't they setting themselves up to vulnerabilities?

Joe Veroneau (27:07):

I think there are some administrative controls that can be put in place for that of entering into non-disclosure agreements and making sure that any sensitive information that's being shared is protected. But I think ultimately some of it is redacting down the information and not sharing the full detail of every piece of a penetration test or a vulnerability scan, but just the executive summary or being able to demonstrate that action is being taken on those. But it is definitely a fine line of a mature security management program is going to identify issues and gaps and technical deficiencies. And it's true that if someone gets that information, they have playbook of the most likely attack vector that could be exploited. So it's something that we can protecting documents, non-disclosure agreements and secure document transfer which we can discuss a little bit later on are some of the ways that that can be accomplished.

Joe Veroneau (28:04):

Next is the vendor maintenance piece which sometimes it feels like such a sprint or a lift to get the vendor onboarded that you need to remember that there's this ongoing maintenance piece that needs to occur as well, that at a set frequency say at least annually for those critical vendors, they need to be re-evaluated and determined. Are we still comfortable with this relationship? Is the vendor meeting their contractual requirements? Are they helping to achieve the business objectives that they were able to ... that they were brought on? Are they solving the business challenges they were brought on to support within the first place?

Joe Veroneau (28:39):

I think from a vendor maintenance perspective, some of the big things to know or to ideally be able to see as a part of your vendor maintenance is what's happened, what's happening next, and then most importantly, what should have happened that didn't happen? So are you able to usually tell we've been onboard with this critical vendor for over a year. It seems like no one has done recertification or review on them or there's been no updates to the documentation for that vendor. Having smart triggers and alerts to know this record is getting a bit dusty but we're continuing to put more and more information into the SaaS provider, so knowing what should have happened that has not yet, that's kind of the policy versus reality.

Joe Veroneau (29:18):

I think our CEO Chas in particular has a great image he uses, that security program outlines what should happen and then when you review what actually happened, the delta between those two is what you really want to focus on. Almost a SOC 2 type one versus type two. You can have great policies and procedures and a pristine vendor management process that you've outlined in confluence or in word documents, but at the end of the day if what's in those policies is not happening and operational at your business, that is the gap that needs to be filled. So really focusing on or flagging what should have happened that didn't is I think a key piece for vendor maintenance.

Joe Veroneau (30:02):

And the final piece of that four-step vendor management process here is the vendor off-boarding. So the basic piece is be aware of expiring contracts and be able to know that this contract is coming to an end, and also the characteristics of those contracts. Is it an evergreen agreement that we need to make a decision every year or have an opt-out that we need to terminate or give notice within a certain period of time? I mean particularly from the requirements within HITRUST and in general revoking vendor access. So these vendors are potentially having access to your systems to support with particular initiatives. Removing that access when it's no longer required that in theory could happen at the end of onboarding with a particular vendor if they're supporting with implementation and making sure those accounts are deactivated, but at a minimum, when you're no longer under agreement with that vendor.

Joe Veroneau (30:51):

And then ensuring data deletion. I mean this is something that would typically be covered in a contractual agreement with the vendor that after the agreement ends, they'll delete or destroy the data. But getting some type of certification from them or being able to see for yourself that the data has been removed are additional steps that can help with collecting evidence and ensuring that it is truly removed from their systems and logging that down ideally into the same repository of information and determining this is helping to satisfy our not just vendor management requirements but also our data classification, data handling requirements, that we're understanding data that's left our organization and how that's removed once we are terminating our relationship with that vendor, and then finally, the cleanup of removing the vendor from the inventory.

Joe Veroneau (31:37):

So there's a few pieces that are pretty low hanging fruit, stop paying the vendor and kind of remove them from top of mind, but ruin their access and logging the evidence that you took those actions are things that you ideally don't want to need to go on an archeological dig to find when it comes time for an audit.

Joe Veroneau (31:55):

I mean that's I think this piece, the racy model from COBIT 2019 comes in as well, that it can't just be security or risk management that is off-boarding vendors. There's the business user that likely knows the context of how much did we actually use this product, what data ended up in there, what vendors may have accessed our systems, and then finance that's kind of holding the per strings as well to stop paying that vendor. So I think business operations or finance internally can be a huge partner for actually rolling out a mature vendor management process, because it's ultimately a security typically sitting in the second line of defense, is probably not the one requesting these vendors and working with them through their life cycle. And so collaborating closely with finance I think a great way to make sure that these are actually implemented and rolled out at your organization.

Joe Veroneau (32:43):

And with that Jeff, I'll pass it back to you to discuss a little bit about our vendor risk maturity model.

Jeff Lesser (32:52):

Awesome. Thanks Joe. I'm actually going to go back two sides here because I think one thing that you talked about that's super interesting is the integrations, automations, and intelligence part of vendor maintenance. When you think about compliance in the age of the cloud, the ability to integrate with these services and have your inventory be kept up-to-date automatically is super powerful. It takes like an entire step out of the process when it comes to onboarding. And then the automation that can come from that, you can have all the tickets that you need, all the evidence that you'll want to collect happen automatically, and it really lifts that load off of you as a compliance manager.

Jeff Lesser (33:31):

And then I think this last part, intelligence, is really powerful. Like you were saying, you've got that single pane of glass to see everything through. If the systems that you're using can surface to you, hey, this is the thing, you need to do this thing, or something has changed and now you need to act upon that, I think that's really powerful.

Jeff Lesser (33:49):

So when we think of what are the three key components to compliance in the age of the cloud, I think these like five hits on the head, it's integration, it's automation, and it's intelligence.

Jeff Lesser (34:03):

Yeah, let's talk a bit about vendor risk maturity. And before we jump into that, we've got another survey. So the survey is to help us understand that primary tool for managing vendors and vendor risk. So I think everyone should have the survey available to them to weigh on now. But the question here is: What is your primary tool for managing vendors and vendor risk? We'll give everyone a minute to answer that.

Jeff Lesser (34:44):

We're starting to see some results, but as a reminder, the options are email, spreadsheet stocks and/or email, project management software, dedicated vendor management, software integrated risk management software, GRC software or something else. Still seeing some numbers come through, so we'll give everyone a little bit more time.

Jeff Lesser (35:26):

Great. I'll share out the results. It looks like the majority of you are using some combination of spreadsheets, docs, email, what I like to call like a McGyvered solution, and a lot of you are also using a dedicated vendor management software. So it's the opposite of a McGyvered solution. And then a decent number are using GRC software or something else. Great, this will help us as we go through the next section which is all about the vendor risk maturity model and how to improve that.

Jeff Lesser (36:06):

So first thing to talk about in the vendor maturity model is the GRC processes. So before we talk about the whole life cycle and how to be or the different levels of maturity within that life cycle, there's the sort of like how are you at managing the processes that you need to manage from a GRC perspective.

Jeff Lesser (36:24):

So there's level one which is like processes are unpredictable, poorly controlled, and reactive. And this is kind of like flying by the seat of your pants to manage these processes. Level two, processes are defined, scheduled, well-controlled, and reactive. So you've started to build out a program and you are understanding more of what you need to do. Level three is that you've started to automate some of those processes. When you can't automate them, they're more standardized and easy to implement. They're applied once and used across many different projects. Hopefully, they're expertly controlled and you've moved from being reactive to being more proactive. And then level four is processes are automated more than in level three but the few that are remaining when manual are definitely standardized. You're still applying once and using across many projects, and really what you're trying to do here is prove business value and improve upon your processes.

Jeff Lesser (37:26):

Joe, did you have anything you wanted to add around GRC processes?

Joe Veroneau (37:30):

Yeah, a few things that come to mind. I think one is the maturity models, they're everywhere. Yeah, a lot of different frameworks and methodologies have this concept of maturity, and I think like COBIT 2019 does a good job where they outline like here are the set of activities that amounts to a reasonable process, and then here are some of the more mature pieces that can be layered on after the fact. And then HITRUST as well, having that concept of having the control implemented but then starting to measure how automated is your monitoring and kind of continuing to do that maturity assessment.

Joe Veroneau (38:05):

What I like about this model that we've been working on is the four levels, and I like to think that most people, particularly if you're on this webinar and you're putting resources towards it internally, you're probably making strides away from level one and moving into the level two territory. And the organizations that have started to implement an automated GRC system or dedicated more resources internally to get that buy-in across the different governance functions are more in the level three territory. And then level four, I think it was like the four minute mile. If you're at level four and you're crushing it across all the domains of vendor risk management, then hats off to you. And we'd like to attend the next webinar that you present on because some of this is just challenging really with the scale and the volume of growth, particularly within SaaS systems, that there's always going to be that goal to get to those in the most automated and perfect solution.

Joe Veroneau (38:56):

So I do think most people are sitting in the levels two to three area and looking for tools and strategies to level up from two to three or approach that four minute mile or that fully automated GRC solution.

Jeff Lesser (39:11):

Awesome. Thanks. Yeah, so talking about the security questionnaire process, I think a couple of things are interesting here. One is when we did our survey at the beginning, a large number of people mentioned that getting information from vendors is their biggest challenge with vendor risk management. And Joe mentioned that being a company is a double-edged sword. You both need to get that information from vendors, but if you're selling to other businesses, you also need to provide that information. And these security questionnaires are one source of particular headache for many companies because they just take so long to fill out. We hear from companies all the time that they've received a 400-question long questionnaire.

Jeff Lesser (39:54):

So when we think about the level of maturity in responding to these security questionnaires, it really boils down to how much of this is manual and you're spending your time doing these on a one-off basis and how much of this can be streamlined, templated, automated, or even provided ahead of time. Can you mitigate the need of a questionnaire coming to you by being transparent and proactive with providing your security posture?

Joe Veroneau (40:24):

Yeah. And what comes to mind here for me Jeff is that piece that as a organization you are administering security questionnaires to your vendors or putting some type of external signal out there to try to determine is this vendor reasonable to work with, but you're also receiving that from all of your customers of needing to fill in and populate their questionnaires.

Joe Veroneau (40:45):

I think what comes to mind here ultimately is that once all that's done, the security questionnaire is completed, you've looked at the SOC 2, there needs to be a decision that's made that yes or no, we're going to pay them or not, we're going to give them our sensitive data or not. And the security questionnaire process as you mature it, helps you to reach that decision faster. It also helps your customers reach decisions about you faster. So the security questionnaire piece can be key for increasing the velocity with which you can open up systems and services to your internal customers or your business users that are requesting these, but also with the speed with which you can bring on new customers or give your services to other organizations. So the security questionnaire process is one that I think velocity is key with having a process to get through quickly, both on the giving and receiving end.

Jeff Lesser (41:42):

Great. Let's next talk about screening potential vendors and the maturity model that exists here. I think this is like a typical evolution of a company. Level one is like the first time you've ever done a security review of a potential vendor and you're screening them. You don't know what you're doing, and so you've got no due diligence and everything's pretty haphazard. By the time you've done a few of these, you've evolved and matured to level two, where you've got a basic understanding of what you need to do. Maybe you've built out a template so that when you start to get some of this information back, you can put that into the template. And it's still relatively manual but you at least have a process for what you're doing.

Jeff Lesser (42:25):

Level three, you've got good processes that you've gone through and refined over time. You're using external sources and third-party scoring to do some of these reviews, and hopefully, you've got some piece of software that helps you manage the documentation and the policies around doing all of this. And then ultimately, when you reach the top level of maturity, you've automated a large chunk of this. You've got a centralized repository where you can access all the documentation and it's integrated and automated with your vendor onboarding system.

Jeff Lesser (42:58):

I think that's a good transition into our maturity model around vendor onboarding. When you think about that level four maturity event of onboarding where you've got integrated and automated vendor onboarding, you've screened the vendor, you've put them in your system. Now, when it's time to onboard them, it's integrated, it's automated. You just simply turn them on in your system, you set them to active. The data starts to flow so your system knows it's happening automatically and you don't have to manage that. Whereas at the lower levels of vendor onboarding, it's very manual, it's very haphazard, and if you're moderately better at level three, you hopefully have some software that's helping you to manage that.

Joe Veroneau (43:44):

Yeah, the one thing I would add here Jeff is the vendor onboarding is one of the pieces where I think it's really important to have that repeatable process outline. So I think it's for two reasons. One is that when someone requests a vendor and they get onboarded, if corners were caught or the process wasn't fully set, that is what your business owner now understands the vendor management process to be. So potentially doing retraining or outlining a clear procedure for how vendors should be onboarded. So business users are aware that there may need to be a one to two week period where we're going through the final security review and getting the vendor on board and building that time into the process, but also being able to move quickly through the vendor onboarding process when you have that automation for the documentation and the policies.

Joe Veroneau (44:31):

I like to go back to that Tetris example that the blocks just continue to keep coming faster and faster, and if you don't have a process, all of a sudden it's game over. And when you think of the end of the quarter or the end of the year, your business users maybe have been evaluating a marketing tool and a business intelligence tool, and then all of a sudden the sales reps from those organizations are offering an end-of-year discount and people are trying to get three or four new vendors squeezed in at the end of the quarter, and now you have four vendors to onboard. If you don't have that repeatable process and automation, it can really become a headache in terms of making sure the necessary steps are followed. And ultimately, any of those corners that are cut or pieces that are missed, that becomes an issue when it's time to audit and look backwards of what actually happened over the course of the past year.

Joe Veroneau (45:14):

So the repeatability of vendor onboarding and building culture into the organization that there are a set of necessary steps that need to happen and ideally helping them understand why it's important to go through this standard onboarding process are a couple other things that come to mind in terms of leveling up that maturity.

Jeff Lesser (45:34):

Yeah, it's super valuable. I think one thing that Joe often talks about with us internally is how all of these things take people, processes, and tools in order to evolve your maturity. And so I think that's a good insight around like how to use processes and tools there to help you evolve your maturity.

Jeff Lesser (45:57):

Let's talk about the maturity model with vendor monitoring and review. At level one it's managed in spreadsheets, it's often forgotten. You might have the actual review itself stored in spreadsheets or you might have the date of when these reviews need to happen in spreadsheets, unless they often get forgotten. So level two, after you've gone through that struggle a few times, maybe you've got this project management system that you're using to manage this or you've built it in your calendaring system that these reviews are supposed to happen on a cadence.

Jeff Lesser (46:30):

Level three is really when you've started to move into like automated reminders and tasks, and you've got this confidence that your policies are being followed because you can take your review and tie it back to the specific control that is a requirement within a framework.

Jeff Lesser (46:44):

And then finally level four is when you're being automated, proactive. Maybe you're checking the SLA and getting real-time alerts around the problems that are happening with your vendors that might make you want to do a review on an ad-hoc basis as opposed to the yearly or by yearly or every three years review that you're going to do based on your classification of the data from your vendor.

Joe Veroneau (47:10):

A second, one more thing there Jeff in terms of a strategy that we've started to try to implement in terms of the vendor monitoring and review, is that there's a lot of great data out there that can help you to just understand your vendors over time.

Joe Veroneau (47:27):

We've launched an events API that allows for kind of opening up an endpoint that all sorts of different external data can be pointed into our GRC system to flag or check the characteristics of that external information. So whether it's downtime from a critical vendor or an alert in the news related to particular vendors, I think finding the right recipe for those alerts that would stream into GRC is something that is inevitably a lot of design requirements go into it and thinking through not having too much noise flow in, but having automated triggers that make sure that the relevant information does sink into a central location and then ultimately some type of check or review to determine does this violate our SLA or are we comfortable working with a vendor that has this type of negative press or reputation.

Joe Veroneau (48:12):

So automated ways to not just once a year go through that review and look backwards and see, well, this application was down an hour a month for the entire year or they're part of an ongoing investigation, but being able to know those things sooner when they happen so you can make those decisions I think is another goal that we're striving for here at Conveyor.

Jeff Lesser (48:36):

Great. Thanks. Let's get into the last one. I know we're running short on time. The last one's around terminating vendors. This is an instance where at the first level of maturity you might not have done this before. We see people who keep paying vendors even though they haven't used them or no longer want to use them. We see people who still have access. Their vendors still have access to their systems because they don't have a good process to follow.

Jeff Lesser (49:03):

So level one is again just sort of like fly by the seat of your pants and can be highly problematic for data protection and security. Level two, you've got some like process that you're following a checklist but it's probably manual in order to remove them from your systems and data. Level three, you've got a thorough process for ensuring that all access is removed. You work with the vendors to make sure that all of your data is deleted from their systems, those types of things. And then level four is really around having smart alerts for expiring contracts, really making it easy for you to know when a contract is going to be expiring as opposed to you having to figure that out and doing it yourself surface those really important moments to me that might trigger a vendor termination event for my review.

Jeff Lesser (49:53):

Quickly before we get into the next steps let's do one last survey. We just want to understand where the audience sits in terms of their perception of their own maturity. So we've got a question here: How would you classify your current vendor risk management maturity based on the model that we just went through, levels one through four. There is a level zero as well where you might not be doing any of this today. You might not be doing any vendor management. So that's okay too.

Jeff Lesser (50:28):

Starting to get some numbers in. And as a reminder, level zero is if you haven't started, level one is if you're initial doing your first vendor management exercises. Level two is when you're developing your program and starting to build out some of those processes and procedures. Level three is when you've got it well managed and centralized and you're starting to be more proactive. And then level four is really when you've started to automate away a lot of those manual tasks that occur in vendor management.

Jeff Lesser (51:08):

I'll just give a couple more seconds here for your answers to come through. Great. I'll share these out. It looks like most of you are level two and level three. You're developing your vendor risk management processes. And some of you or on the same amount of you have really started to build those out into a central proactive process. That's awesome.

Jeff Lesser (51:47):

Next up we've got some resources for you that will help you with your vendor maturity, your vendor risk management maturity. The first is a vendor management guide that we've created, and it goes through this vendor maturity model and more detail and gives you actionable steps in ways that you can improve your vendor management. And I believe we'll have a link that we can send out to this afterwards.

Jeff Lesser (52:14):

And then the other resource that we want to provide is a way for you to provide your security posture to your customers more easily. I think there was a question that came through and it said: Joe talks about vendor pen test results. Can the customer easily request these reports for review? And what we find is that when customers are asking you for your security posture, they do so in a number of ways. They'll ask you for your reports and your pen tests, and then they'll send you a survey. And we found that oftentimes this leads to delays in the sales cycle in the field, especially in the B2B world.

Jeff Lesser (52:53):

So what we've done is we've created this tool that takes this whole process of a customer requesting your documentation and then you taking that request over from the sales person over to the compliance team and needing to get a document watermarked by the engineering team and then delivered back to the customer after they've signed an NDA that's been reviewed by the legal team. So there's this whole process of how it works today. And we've created a tool that makes it super simple for you to just load up your documentation like your pen tests and your reports and other things into what's called a room, and then, when you invite someone to your room, they'll fill out an NDA and have self-serve access to your documentation. So you can sign up for free at for a Conveyor room at conveyorhq.com/customer-trust/rooms.

Jeff Lesser (53:49):

We have some more time for questions. So it looks like we have a couple that we can still get to.

Joe Veroneau (53:57):

Awesome. And the one, I'll just pop back to the simplifying being a vendor Jeff. One piece that comes to mind here as well pretty good with that question of can a customer usually request these reports for review, I think there's a gradient with which vendors are comfortable sharing their internal security documentation. And to the question that came up earlier, some of this is ultimately the Achilles' heel or the chink in the armor in that if it's known that they have these issues, it becomes easier to exploit a particular vendor.

Joe Veroneau (54:28):

So I've seen organizations trying to transparently share about their security programs with public-facing documentation, a robust security page, essentially a SOC 3 that would just be a summary of the contents of the SOC 2 or an ISO certification. Once you get into the protected room having a non-disclosure agreement that's signed and then able to download out the SOC 2 or some of the standard security documentation and then ultimately in the room you're able to get certain documents to really be only for the customers that are eventually going to close or later on in the process. You probably don't want your penetration test getting out there to everyone in terms of the executive summary. But if you're going to be processing critical information for a vendor, I think it's a reasonable request for them to see at least a summary of how you're managing your vulnerability and penetration testing program today.

Joe Veroneau (55:14):

The other question that came in is when it comes to international vendors who don't get SOCs is or don't get SOC 2 reports is COBIT 2019 or another framework, a good alternative for SOC reports. COBIT 2019 I'd say it's more of an internal management framework. So it's good to talk about within your communications with customers but not exclusively security focus, so probably not as relevant for collecting as a part of due diligence documentation. But definitely from an international perspective ISO 27001 is probably going to be the most common one that you come across, and particularly for individuals in Europe potentially, understanding how they're complying with the NIS directive or what their security program looks like in terms of the GDPR requirements for security. So there are definitely regional or international focuses that you can place, the ISO 27001 certification probably being the most common one.

Kyle Brasseur (56:15):

All right. I think we're near the top of the hour Jeff and Joe. So I think we can wrap it there, but thank you guys for a very informative session.

Kyle Brasseur (56:23):

Once again to the audience, if you like a copy of these slides that were just presented, you can download them from the drop down menu on the bottom left-hand side of your screen. And for those of you who are still asking questions, we will be able to get these questions and follow up with you offline. So anyone that we did not answer, please be on the lookout for further interaction.

Kyle Brasseur (56:44):

I'd like to give a special thanks to Conveyor for making this webcast possible. Once again to the audience, to obtain your CPE credit for this presentation, please disable your pop-up blockers in order to access the exam. The webcast will close automatically and the final examination will be presented in a separate window. If you have trouble viewing the CPE test or receiving the CPE certificate, please send an email to webcast@complianceweek.com.

Kyle Brasseur (57:06):

This webcast has been recorded and will be available later today to Compliance Week members on our website under the Webcast tab, which also contains a library of additional CPE webcasts. If you'd like to learn more about becoming a member, please contact us at info@complianceweek.com. For today only we invite you to use the code Webcast365 to receive a membership for just $1 a day. Check out complianceweek.com/membership to learn more. This concludes our webcast. Thank you again for joining us and enjoy the rest of your day.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.