Now more than ever, security teams are struggling to keep up with a seemingly never-ending barrage of vendor review requests. In some organizations, security reviews can even be perceived as a roadblock slowing down the procurement process, often due to factors that are beyond their control like delayed responsiveness to assessments.
Fortunately, ServiceNow’s Vendor Risk Management application provides a tiering assessment workflow that can be strategically configured to (i) streamline the actions involved in a typical review, and (ii) leverage prioritization techniques that allow your team to focus efforts on the third parties posing the most significant risk to the organization.
Accordingly, here are three keys to a establishing a successful vendor tiering process in ServiceNow to accelerate your third party security reviews:
#1 Establish Meaningful Vendor Tiers & Associated Review Criteria
In general, the purpose of tiering is to establish review criteria and protocols specific to certain categories of vendors grouped based on similar characteristics and risk factors. For example, your accounting platform and room scheduling system may both be SaaS solutions, but because of its lesser inherent risk to the organization, you may not need to analyze the security controls in place for the room scheduling software with as much scrutiny or as frequently as those for the accounting platform.
Meaningful tiers and associated review protocols must be set up within ServiceNow to enable these risk-aligned assessments. Most commonly, organizations will have approximately 3-5 tiers with varying assessment requirements and document requests for each. Ultimately, moving from a one-size-fits-all approach to a tiered system like this will reduce the workload burden on the team through risk-based prioritization. But how do we determine which vendors belong in which tiers?
#2 Identify Key Information & Accurately Assign Vendor Tiers
The Vendor Tiering Assessment module within ServiceNow provides a questionnaire-based workflow to elicit information about the vendor relationship from a knowledgeable party within the organization, often the business owner requesting to use the vendor. In this stage, it’s critical for the questions asked within the assessment to capture the details needed to present an accurate view of the risk a particular third party may bring into the environment.
Some important questions to consider would include whether there will be third party access to protected data types, as well as the data elements and volume in scope. Will the vendor be getting network access? How critical is the vendor to business operations? Once these details are gathered, a scoring algorithm can be applied to classify the vendor into the appropriate tier for downstream assurance activities.
#3 Leverage Automation to Reduce Process Friction
It’s no secret, ServiceNow provides powerful automation capabilities that can be a game-changer for your organization. With some up-front configuration, the tedious steps of building, selecting, distributing, and following up on assessments can be handled fully by the platform, allowing the third-party risk management team to focus on response validation and review.
Connecting the initial request and vendor tiering workflows through automation will remove impeding manual actions and reduce the effort needed per vendor review request. In many instances, the first and sometimes only action required of the security team will be to validate the business owner’s responses to the tiering questionnaire.
Ultimately, building an automated tiering assessment process in accordance with these principles will fast-track security reviews, allowing your third-party risk management team to process more requests with less effort.
If you’re looking to lessen the burden on your security team and accelerate your vendor risk review process, or if you want more information on setting up a vendor tiering system tailored to your organization’s needs, please reach out to info@lionwarellc.com.
Your success is our mission.
Comments