How does your organization identify and categorize third parties?

It seems that one of the most difficult initial tasks in TPRM is just developing and maintaining an inventory of third parties. What procedures or strategies are you using to make sure no vendors slip through the cracks?
Comments
Tales from the field: We frequently speak with companies who struggle with this first step...which drives trepidation in moving to the other steps in the process. While I wish software could solve this challenge, it's really about culture and process. In some organizations, security carries a heavy hand. In others, it's an necessary evil and can't "get in the way of business." Engaging your colleagues in the procurement department to build a process that weaves TPCRM into the process is key. Without this step, TPCRM becomes a roadblock or fire-drill, rather than a valuable part of protecting the business from easily avoidable cyber risk.
Many of the vendor management challenges that companies face seem to all stem from the same issue of not having a centrally managed list of vendors. It seems like every company, big or small, struggles with this same key issue which is the identification of the vendor population.
This issue is especially challenging for firms that have been operating for a number of years and have just recently started working on vendor risk. At this point they may have hundreds or thousands of vendors that do not exist within one source of truth. There can be multiple procurement teams that work in silos, payment to vendors can be done through means other than the official procurement process such as using corporate cards for payment, and organizing all of this through a manual process will often times miss certain vendors being introduced to the firm.
Creating a VRM process and ensuring all requests go through this process will help solve the issue associated with new vendors coming into the firm; however you still have to work on the backlog of vendors in your environment and identify the business relationship owner, the vendor relationship owner, triage questions to understand the inherent risk, among other things. There does not seem to be one streamlined solution to do this and requires a lot of manual work whether up front or throughout the lifecycle.
The good news is, once this identification and classification process is complete then you quickly move the needle and arrive at a sustainable VRM process.
There are many ways to identify your vendors:
- Project information
- Legal Contracts
- Company Announcements
- Status Reports
- Accounts Payable / Purchasing
- Remote Access Systems
- System Accounts
- Facility Access Records
- Application Access
- Firewall Rules
- Network Circuits
- Data Transfer Records
- Asset Management Records
- Data Leakage Protection / Internet Usage Records
- Equipment Location Information
- Operational Monitoring
- Incident / Outage Reports
- Etc
Find the teams that own those processes, partner with them to get legacy and proactive visibility to the information.For categorization, identify criteria which absolutely require an assessment, situations that never require an assessment, and what falls in between. You need to consider the resources you have available, number of vendors, and purpose of your program in order to identify appropriate criteria. For example:
- If the vendor is hosting information in their systems, how critical does it have to be before it warrants an assessment?
- If the vendor is providing services using their their systems or networks, how critical does it have to be before it warrants an assessment?
- Where can you leverage your existing solutions to avoid performing an assessment. That is, if the vendor is doing everything using your equipment, they are taking your training, and subjected to your background checks, would they have anything in scope for the assessment?
- etc.
Recognize that individual teams may be using the same vendor in completely different ways.With a bit of work, you should be able to establish criteria you can justify.
Chris