ThirdPartyTrust Blog

Experts Share Important Metrics for Assessing Vendor risk

Posted by Jeffrey Spetter on 1/10/18 4:43 PM
Find me on:

Metrics drive the measure of progress and stand as benchmarks during any assessment, audit or review process. They are the life blood of reporting and when it comes to vendor risk management, it is not as straight forward as you might think. Let's take a deeper look into what Guy Dulberger of Ritchie Bros. has to say about the key metrics to track when assessing vendor risk and how a risk-based approach is the new norm for vendor risk management. 

 "I think an important aspect of what makes a great security report, KPI or metric is understanding your business and where your greatest orgnizational risk lies."

- Guy Dulberger, Information Security Executive

In a recent post on Digital Guardian, Dulberger outlines a series of metrics to track when assessing third party risk. As always, the first step is to create a list of your most critical vendors, usually ones that carry PHI, PII, PCI, etc or have network access. Then from there, create a risk rating system that is clearly communicated to management and understood by the rest of the organization. This is primarily done through a numerical rating system or something similar to low, medium, high rating. 

Once the rating system has been finalized, it's time to rate vendors based on seven critical areas: 

  1. Volume of Information 
  2. Type of information
  3. Size of commitment 
  4. Criticality of the service 
  5. Ease of replacement 
  6. Brand reputation 
  7. Threat intelligence 

After rating each vendor on each of these subjects, there should be a quantifiable way of presenting and reporting to management and the rest of the organization. 

At ThirdPartyTrust, benchmarking and reporting are at the heart of the platform. Utilizing a customizable, risk-based appraoch is difficult when dealing with hundreds of vendors, but by standardizing critical issues, like network access, information security teams can easily do more assessments while maintaining a standard base.

Dashboard- Heat Map.jpegWe've created automated reporting, such as the heat map above, to provide insights to  vendor populations. Enterprises can use subjects like "vendor requires PCI compliance" or "vendor has network access" to measure impact (helpful link) and trust (helpful link) of the vendor. 

 Product Webinar Sign Up 

Topics: Best Practices

ThirdPartyTrust is a vendor risk management platform strengthening cyber risk intelligence and simplifying the management process for enterprises performing vendor risk assessments.
By analyzing both third and fourth party vendor cyber risk using a network-based solution, like 3PT, trust is built and mapped within your vendor eco-system.

Subscribe to Email Updates

Recent Posts