As children, it’s not the monsters in the spotlight that keep us up at night, it’s the monsters hiding in the dark that we know are there but can’t see. If you’re running a vendor risk management program, the monsters in the dark are “Shadow IT”, the unreviewed vendors connecting to your network and accessing protected data.
Here are 5 steps you can take to reduce the prevalence of these unauthorized third parties in your environment and seize control of your vendor landscape:
#1) Establish a Central Vendor Repository. It’s not uncommon for different functions to have their own systems of record (e.g., legal, procurement, vendor risk), but a single “source of truth” needs to be identified as the standing vendor library. The centralized repository will enable correlation across systems, reduce duplicative data, and provide a firm confirmation on the authorization status of a given vendor. ServiceNow has the capacity to act as the primary vendor inventory, and it can also be integrated with other platforms via API as necessary.
#2) Establish a Holistic Onboarding Process. When it comes to onboarding a vendor, there are usually several different activities that need to occur across stakeholder groups, including legal, procurement, IT, and information security. Some of these reviews and consultations can run in parallel, while others may need to operate sequentially.
The process is often initiated via a request item on the Service Catalog, and should be designed with four central priorities in mind:
1. UX: A seamless user experience for the stakeholder submitting the request
2. Speed: The ability for review teams to process large request volumes efficiently
3. Completeness: Ensuring each applicable review/consultation is incorporated
4. Escalation: A system and criteria for handling the inevitable escalation request
#3) Socialize the Approved Onboarding Channels. In general, business stakeholders want to follow the correct process for leveraging third party services, but they will be unable to do so if they aren’t aware of how to begin or the steps involved. A socialization campaign can be launched via ServiceNow’s policy acknowledgment feature, pushing vendor request procedures and information to appropriate business personnel.
#4) Enforce the Process. Performing reviews for requests received from alternate channels (e.g., email) will undermine the onboarding process and may result in incomplete vendor reviews. This traffic needs to be re-routed through the official channel to enforce the onboarding procedure, accomplished by re-directing the requester to the appropriate Service Catalog item or initiating the onboarding process on their behalf.
#5) Plug the Holes. If a vendor is doing business with your company, they will likely submit an invoice for payment at some point. This is a prime opportunity to validate whether the third party is present in the central repository; unauthorized vendors can be funneled into the onboarding process to retroactively perform reviews.
In summary, unauthorized third parties in an operating environment expose an organization to security risks. While this may not be fully preventable for all companies, establishing a centralized vendor repository and onboarding protocol, communicating it to the workforce, enforcing the process, and closing the payment loop on the backend will help reduce the prevalence of unreviewed vendors.
Is “Shadow IT” a challenge in your organization? If you would like to discuss any of these concepts in more detail or talk about how you might incorporate some of these measures into your ServiceNow Vendor Risk implementation, please reach out to info@lionwarellc.com.
Your success is our mission.
Comments