No announcement yet.

Tools to manage Vendors

  • Filter
  • Time
  • Show
Clear All
new posts

  • Tools to manage Vendors

    What are some tools you’ve come across to deal with managing Vendors, e.g completing questionnaires, contracts, Findings. How did you find them?

  • #2
    RSA Archer
    Archer is a bit of a beast in my experience, it did the job but mainly that’s because it was heavily customised.

    We found it pretty good at managing Tiering (It was performing a range of calculations), Contract documents, and stakeholders. We had the ability to hold findings but had great trouble with using it to automatically chase findings, or complete questionnaires in. It was awful at automating comms and we would never have used it to contact suppliers.

    Another advantage was the ability to host it onsite giving us complete control over all the data within
    Due to the ability to customise we had great issues upgrading the system.

    My advice to users is control changes to Archer with an Iron Fist, if you don’t you will end up spending a lot of money on a third party to unpick everything the moment it needs an upgrade.

    Overall I’d give it a 5/10 it’s good enough if you already use it as a GRC tool, but moving away from it is painful and I’m not sure how or if they are selling a third party tool nowadays as ours was a custom magic mix!
    Last edited by Infosecxual; January 9th, 2020, 10:29 AM. Reason: Adding link


    • #3
      So this doesn’t quite answer your question maybe because I had a custom built program at my disposal. Now I’m kinda starting from scratch but with a smaller scope which is nice. I only do annual reviews while others handle thorough, technical on boarding reviews.

      TLDR: Control the purse and keep it simple.

      I came from supply chain management and logistics. The company had a robust third party management tool custom built for business purposes with document management and already tied to financial systems. So I, with accounting all in with the idea (so many good things happen when accounting backs your project), made the call to use that to incorporate tracking of all IT third parties which were previously semi managed and tracked in Sharepoint and maybe someone had a contract or SoW saved on their desktop. We even had a control set up so a vendor couldn’t be paid without being added in and tagged with a security review in the system. Security, accounting, and procurement all had to be bypassed to use a vendor. And if you bypassed, they couldn’t be paid. ¯\_(ツ)_/¯

      Upon vendor creation by our procurement team, a form had to be filled out and uploaded by a designated sponsor; scoring based on specific criteria to determine if a vendor (IT or BizOps) would require a security review. No form to procurement, no pay by accounting. Form added but no review, it got caught by automated monthly reporting to security.

      Aside from company info and description of services, these had to be answered:
      • Will/Could vendor have access to customer data whether physical or logical?
      • Will/Could vendor have access to employee or company data whether physical or logical?
      • Will/Could vendor have physical access to company facilities/systems?
      • Will/Could vendor have logical access to company systems?
      • Will/Could vendor be involved with any development, infrastructure, or other system related projects?
      Basically any “yes” got flagged for a security review. Follow up questions determined the risk level.
      • Data: If yes, Restricted, Confidential, Business sensitive, or Public data?
      • Physical access: If yes, escort, temp badge, full badge access?
      • Physical access: If yes, access to DC?
      • Logical access: via company or vendor asset?
      • Logical access: observed Remote Desktop session, on-site credentials, vpn credentials, network interface between company and vendor?
      • Contract in place with appropriate clauses?
      • DPA In place if required
      • Breach history?
      • Privacy shield?
      • SOC2? Which Criteria?
      • ISO 27k?
      • Verify risk through a third party registry.
      • Verify public records of company (US and some international were easy. Most intl not so much).
      This and more was all scored to determine low to critical risk.

      So some vendors, let’s say a dev consultant who would have escort, no logical access, and maybe business sensitive project info, might not face the same scrutiny as let’s say a cloud SIEM.

      If they had SOC2, controls would be reviewed and mapped to our controls; especially if the vendor was defined as a sub-service org in our own SOC2 and we relied on them as our own.

      If ISO27k, did scope meet our needs? Maybe I could get a copy of their Statement of Applicability for further review.

      If neither, and risk warranted it, they got a custom questionnaire. It was relatively short compared to even the SIG Lite. Oh boy, filling out a full sig is no fun. Let alone 100s of custom questionnaires. I’ve filled them out so took pity. I accepted pre-filled SIGs If available. If not, mine had specific questions with drop down selection of answers with automated scoring on the backend. None of this “Yes/No/Comment. Drop down selections were specific and included a range with better scoring if met my own policy. If you had my data and it was in a database, “What level of encryption is used?” A,B,C,D with one of the answers being based on my policy standard. There was sometimes an Other then comment for subjective scoring.

      All docs loaded into the system with dates of document reviews and expirations. It also triggered reports of re-evaluations.

      Findings and issues were difficult to manage, though; mostly spreadsheets and Sharepoint. Phase 3 would have incorporated an existing issue tracking system already in the program, it just hadn’t been modified for my purposes yet.

      If issues, no SOC2/ISO/etc. and risk was beyond medium, CISO had to sign off usage.

      The irony was I never got the program through SOC2 without an exception. The fully functional battle station was destroyed by an auditor in an x-wing who said “I know that vendor has a SOC 2. We did it. You didn’t review it, so exception” despite CISO sign off and the vendor not even being a sub service org. I still call bs.

      I guess the moral is find out who you pay. Accounting is your friend. Build criteria off of that list and keep it as limited as necessary. If you really only need to evaluate sub service organizations on whom you rely for your own controls, just do that.


      • Infosecxual
        Infosecxual commented
        Editing a comment
        Thanks for that, our criteria for tiering is pretty similar might be worth starting another thread to talk about tiering suppliers?

        I think the self build model is a lot more reasonable nowdays with O365, you could build and automate a lot of the systems that would have been a pain in the butt to build when you did so!

    • #4
      LogicGate is way cheaper than the larger GRC platforms and includes a ton of customization. Their customer service is some of the best I have ever come across also!


      • #5
        I liked OneTrust much better than Archer, especially based on cost, bonus that they just added full GRC to the platform.

        I did set up SimpleRisk too, but it was too much work compared to what I can do with excel.

        Back to ad-hoc and time to rebuild in my current role though.

        ​​​​Anyone have a good template for response/report for findings/issues to deliver back to the sponsor/business/vendor?


        • #6
          I've been looking at GRC tools that include some vendor management/assessment features. ZenGRC and Ostendio are my front runners right now. ZenGRC is more full featured, but Ostendio is more affordable.

          Twitter: @AccidentalCISO


          • #7
            Second suggestion for OneTrust here - certainly if you want something to hit the ground running.

            I've also seen some good tools specifically for managing pen tests (from proposal to reporting), but they're only worth investing in if you're getting through a lot of tests each year and probably not what you're looking for.