Dealing With Third-Party Risk Assessments: Creating and responding to vendor questionnaires

Date: September 25, 2019

Recorded on Wednesday, September 25th

Ain’t nobody got time for that!

Are you feeling overwhelmed? Have you been diagnosed with a case of audit fatigue? The growth in third-party assessment requests has exploded–more and more organizations are being forced to fill out third-party vendor forms and create or formalize third-party risk functions. The intent, of course, is to ensure that vendors are taking security seriously with proper controls in place, but are they making a difference? And can the process be made simpler?

What you’re doing when you could be doing security

In reviews of organizations large and small, there are frustrations on all sides:

  • Newly trained auditors are being put in difficult situations, leading to high turnover.
  • Security teams are being overwhelmed with requests.
  • Small and medium businesses are diverting budget from other high-impact security initiatives.
  • Legal departments are racing to keep up with changing language, terms, and conditions.

Clearing away the mud: What’s working and what’s not

In this webinar, we will discuss the issues surrounding vendor questionnaires, the (failed) attempts at creating more standard response templates, and how it’s impacting security, compliance, and audit departments.

TrustedSec will answer questions such as:

  • What can I push back on?
  • How do I get additional budget for this?
  • What is a reasonable request and response?
  • Can I get an attestation of a standard such as NIST Cybersecurity Framework or CIS Controls to make it easier?

You will respect my authority! Practical ways to build a helpful partnership

With combined decades of experience, Alex Hamerstone and Steve Marchewitz have worked with countless organizations and are also tasked with filling out the necessary forms for vendors. They will provide their insight into what they have seen work well in different industries, many of the challenges they have seen organizations go through, some of the ‘crazy’ questions, and what needs to happen to make third-party assessments practical for everyone.