Vendor (3rd Party) Security Assessments

We understand the importance of maintaining good business relationships.

You rely on business partners to provide critical services. It’s no wonder third parties are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. We have tested and fine-tuned our risk assessment methodology over many years and thousands of assessments.

Why Conduct An Assessment?


Compliance HIPAA, PCI, 23 NYCRR, IRS 1075, MARS-E, etc


Identify potential risk you are inheriting from vendors


Accountability Use assessment results to improve your third party service providers’ accountability


Evaluate potential partners earlier in your relationship and make better business decisions


Minimize inherited risk from potential and existing partners


Transparency  provide metrics and reporting on vendor security risk to your executive team

Our Methodolgy

Partner Trust Assessment (PTA)

Our analysts ask questions from relevant security control groups. For example: Physical Security, System Security, Access Controls, Operational Security, Data Security, Network Security, and Application Development Security. All evidence provided by your partners is reviewed and assessed.


Privacy Impact Assessment (PIA)

With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls such as data use and accuracy, sharing practices, notification of use, and access to data.

Vendor Impact Analysis (VIA)

What’s the worst that could happen? Our analyst outline the business impact from a breach in confidentiality, loss of integrity, or lack of availability from the vendor.

Managed Service Deliverables

Yearly Assessments

of all vendors in your security risk management program

Monthly Status Reports

include assessment progress, dashboards of overall risk levels, and key deliverables

Annual Risk Level Report

provides your management team or board members with a 20,000 foot view of your vendor risk

Recent Blog Posts

Vendor Risk Assessments – Which Methodology Meets Your Needs?

By: Paul Dusini, Information Assurance Manager There are a growing number of vendor risk assessment services on the market today. These services can be divided into two categories – ones that assess risks outside of the vendor’s firewall and those that assess risks...

Risk Management – Which Vendors Should I Assess?

Third party security assessments are a crucial part of any information security risk management program. Conducting ongoing security assessments of your vendors will give you clarity on the risks you may be inheriting from them. The first step in any vendor security...

The Meaning of Vendor Management in Your Organization

An ever changing landscape More and more companies are relying on business partners to deliver on strategy and daily operations to optimize IT or business outcomes. The problem: individuals outside the business have been given access to your network and data by...

Third-Party Vendor Security Risks: 4 Stats You Need to Know

For many companies, the use of third-party vendors is an afterthought. After all, every company uses them, whether it be for a payroll service or some type of marketing platform. However, just because the use of third-party partners is widespread doesn’t mean that...

“NuHarbor assessments give visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.”

CIO, Insurance Company

Why Outsource Vendor Risk Assessments?


Analyze Trends and track security risk for all partners in your vendor security risk management program


Benchmark vendors to see if they are complying with best security practices


Measure risk posture of your partners over time


Adjust Contracts based on your vendors’ risk levels.


Scalable quickly onboard new vendors into your vendor management program

We Can Also Help With…

Single-Serve Assessments

Take a test drive. Try a single vendor assessment.


Tailored Assessments

Do you need an assessment questionnaire or process specific to your business needs? For example: security frameworks, project  requirements, compliance, and industry best practices are metrics our analysts can utilize.

Identifying Quality Partners

Our Risk Assessment Team can inquire into potential partners. We detail the processes and data involved to gauge risk.


Customized Reporting

Need to track certain metrics or risk areas? We can work with you to meet your business’s reporting requirements.

User Controls

Yearly review of complementary user controls

Need Vendor Assessments?