CISO Checklist:

Vendor Risk Management

1. Assessing the security posture of prospective vendors

Address each of the following items when considering potential vendors.

Vendor has provided evidence of successful historic partnerships in a similar

industry.

Vendor has provided evidence of compliance with mandatory regulatory

standards (ISO27001, NIST, etc).

Vendor is requesting a reasonable level of access to sensitive resources.

Vendor has implemented a clear and resilient supply chain security program.

Vendor offers an acceptable service level agreement (SLA) that can

confidently be maintained in the event of a cyberattack.

Vendor had demonstrated how they plan to keep your business informed
about cyber-incidents impacting their ecosystem.

Page 1
 CISO Checklist:
Vendor Risk Management

2. Defining clear processes for detecting third-party risks

Ensures your organization is capable of rapidly detecting and prioritizing risks.

A list of all current and historical vendors is maintained and always kept up-
to-date

Each vendor's access to sensitive resources is confirmed to be the minimal

level of access required to meet business objectives.

All detected vendor risks are ranked by magnitude of impact to your

organization in the event of exploitation.

Each vendor's security posture is regularly assessed.

Vendors with the highest level of access to sensitive customer data are
assessed at a higher frequency and with stricter security standards

Page 2
 CISO Checklist:
Vendor Risk Management

3. Managing vendor risks

Ensures you have a process in place for mitigating the chances of vendor
vulnerabilities being exploited.

Establish a clear Incident Response Plan for all vendor-related cyber

incidents.

Set clear cybersecurity expectations about how vendors are to respond to

cyber threats and how they should keep your organization informed.

Identify all regulatory compliance standards that apply to all vendors.

Establishing a regular schedule for scrutinizing vendor regulatory

compliance.

Establish a process for monitoring each vendor's security efforts.

Ensure all vendors have implemented multi-factor authentication.

Ensure all vendors are encrypting their data with the Advanced Encryption
Standard (AES).

Ensure vendor software is protected with the latest patches.

Regularly audit vendors to ensure they are meeting regulatory security

requirements, your personal security requirements, and SLA requirements.

Page 3
 CISO Checklist:
Vendor Risk Management

4. Keeping stakeholders informed about vendor security

efforts
Ensures that management and stakeholders are kept informed about your third-
party security efforts.

Establish clear communication channels between vendors and your internal

security teams.

Establish clear communication channels between your security teams and

stakeholders.

Establish a regular schedule for sharing reliable and actionable vendor

cybersecurity information across all channels.

Establish channels for keeping our security teams informed about global
developing cyber threats.

Page 4