NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
March 27, 2018

Risk Management - Which Vendors Should I Assess?

Brianna Blanchard Brianna Blanchard

Third party security assessments are a crucial part of any information security risk management program. Conducting ongoing security assessments of your vendors will give you clarity on the risks you may be inheriting from them. The first step in any vendor security assessment program is to identify your key partners. Identifying key vendors for your vendor management program can be full of uncertainty and time consuming. How should you begin?

Vendor Identification

The third parties you should focus on are entities that store or have access to your company’s data. You would also want to consider third parties that have access to your network or IT infrastructure. Here are some processes and techniques to help you get started in identifying your third parties.

Data Inventory

One of the first places to start is to create a data inventory. Creating a data inventory will identify the systems, applications, and processes that involve certain types of data. Start with a type of sensitive data such as personally identifiable information (PII), HIPAA data, or a specific data element such as phone numbers. Here’s a helpful whitepaper that explains the fundamentals of creating a data inventory: “Creating a Data Inventory: The First Step In Managing Privacy and Data Security Risk” by David Manek, Bruce A. Radke, and Michael J. Waters.

Data Flow Diagrams

Take your data inventory to the next level by creating a data flow diagram. This diagram should be based on a business process or data type. A data flow diagram can help you identify the following:

  • The types of data third parties have access to
  • When a third party is involved in the process
  • The method third parties use to access your data
  • Vendors that are involved in critical business processes
  • Which third parties process your data
Contracting and Procurement Records

Reviewing your current contracts and agreements could help you identify the following:

  • Which vendors do you have active contracts or agreements with?
  • What type of services do they provide?
  • What level of access to data do their employees have?
Interview Subject Matter Experts (SMEs)

You likely have employees that are experts in certain IT systems or business processes. A short interview with these employees may help you understand a vendor’s role in the process. The SME may also be able to assist you with data mapping and inventory.

Access Reviews

Conducting an Access Review of system accounts is one of the quickest ways to find external entities that already have access to your data. Most systems are able to generate reports that will tell you the level of access and privileges that certain users have. This method should be used with some of the other identification methods since it will not identify vendors that have external access to your data.

Vendor Categories

So, now you have a list of all your third parties, the next step is to conduct a risk assessment. Conducting a risk assessment will help you determine which vendors pose a higher-level risk to your business and customers. These are the vendors that you will want to assess first and on an annual basis.

Consider the vendors that meet at least one of the following criteria:
  • Perform critical business or IT functions
  • Process or access sensitive data
  • Process or access your customer’s data
  • Could impact your earnings or reputation
  • Could cause significant disruption to your business
Types of IT service providers that can pose a higher security risk may include:
  • Software as a Service (SaaS) providers
  • Infrastructure as a Service (IaaS) providers
  • Platform as a Service (PaaS) provider
  • Disaster Recovery and Data Center Colocation service providers
  • Professional Services or Consultants
  • Outsourced software development services
  • Data Processors

Hopefully these methods of identifying third parties will help you establish an effective vendor risk management program. Conducting regular assessments on higher risk third parties will help you identify and manage the potential risks they pose to your organization.

Learn more about our third party security assessments here. 

Included Topics

  • Security Testing
Brianna Blanchard
Brianna Blanchard

Brianna Blanchard is the Senior Manager of Information Assurance and Advisory Services at NuHarbor Security where she leads a team of professionals. She has over 15 years of experience working in cybersecurity and information technology. Before joining NuHarbor Security, Brianna worked for government organizations helping them build their security compliance and governance programs from the ground up. Brianna currently is involved in co-leading the Women in Cybersecurity Council at Champlain College, with the goal of making cybersecurity more inclusive and Champlain College the best place for women in cyber.

Related Posts

Security Operations 2 min read
Assessing Vendor Risk: Is Reviewing a SOC Report Enough? Read More
Advisory and Planning 3 min read
Why your company needs third-party vendor management services Read More
Security Testing 2 min read
How Vendor (3rd Party) Security Assessments Can Help You Build a Better Security Program Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.