Commonly found gaps in Vendor Risk Assessments
VIRAT SHAKTIVARDHAN, 21st October 2020
Over the last 2 years, the ComplyScore team has completed 2,000+ third-party risk assessments. During these assessments, we started to notice a similarity in the gaps most found by our analysts. In this blog, we have listed out the gaps that have been reported for at least 25% of the vendors assessed.
- Application penetration tests are not performed at a regular frequency.
- Network vulnerability scans are performed at irregular frequencies.
- Third-party risk assessments are not implemented as a part of the policy.
- Log retention duration is not satisfactory.
- Multi-factor authentication is often missing from applications, servers, databases, and network security devices such as firewall, VPN, IDS/IPS, etc.
- Configuration Management is not implemented to satisfaction. Also, hardening, many times, is not implemented as a part of the documented policy.
- IDS/IPS is many a times not implemented in the medium and low scale industry
- DLP is not implemented in either of email, endpoint, network, and application or all of them.
- A periodic review of access rights is not done.
- The principle of least privilege access is not enforced
- Subcontractor training is not enforced.
- Automated Alerting [for security devices such as firewalls, IDS/IPS, SIEM Tools, etc. Many times, organizations implement only manual review for anomalies] is not enabled and implemented.
- BIA analysis is not conducted along with the risk assessment process.
- Dynamic Testing is not performed on codes.
As you evolve your vendor governance program across multiple Tiers, the above list will help you gauge the likelihood of a missing control. If any of these controls are important in your context, then ensure to include them in your assessments.
And as the technological landscape continues to evolve and your business scales, it is crucial to be prepared to meet the ever-changing vendor risk demands. With each new third-party vendor added to your team, your exposure to risk increases.
As always, we are here to help you with your assessments should you need any assistance. By helping you identify your third-party’s vulnerabilities, risks, and control gaps, ComplyScore ensures that you know which vendor is your weakest link and how to handle it. Contact us today to learn more.