If you have attended any seminars or symposiums on Third-Party Vendor Risk Management (TPVRM) over the last year, the phrase Continuous Monitoring has been a prevalent context presented by regulators as an emerging requirement. As presented, Continuous Monitoring is a step above the Ongoing Monitoring requirements that have traditionally defined Know Your Vendor. In part, the regulators are looking to see that your vendor review program has the ability to identify a concern with a vendor that may occur or become known outside a periodic review cycle. The emergence of Cyber Security Threats from third-party relationships is fueling the movement from Ongoing to Continuous monitoring.
Ongoing monitoring has developed as the historic foundation for effective Third-Party Risk Management programs. Often starting at the time of onboarding a new vendor, or based upon a periodic re-review schedule indexed to relationship risk exposure, Ongoing Monitoring ensured there was continued visibility into the vendor relationship for the purpose of divining a potential concern.
Ongoing Monitoring of a vendor relationship has included familiarity with their business financials, control audits, continuity and resiliency plans and testing, insurance coverages and their Information Security posture. Ongoing Monitoring also includes following specific performance as relates to your organization’s overall satisfaction with a vendor and their meeting defined service levels for product or service delivery.
Fortunately, from the outset of the VendorInsight® solution, Continuous Monitoring has been an element of the product. Reported news on and from key vendors are screened daily and provided to identified responsible individuals for vendor relationships. In particular, Risk Alerts are culled from the news feeds for key vendors and are delivered into VendorInsight®, but also into the email box of those responsible.
The newly released Governance Dashboard now allows Executive Oversight of the overall program. By defining alert thresholds at the program level for multiple overall governance, performance and risk metrics, you are capable of keeping pace with your program up to the minute.
VendorInsight® allows you to represent your engagement with these important aspects of a Continuous Monitoring strategy of your Third-Party vendor portfolio.
The Information Security Challenge
Historically with Ongoing Monitoring, the verification of a well-structured Information Security discipline with a vendor who possess confidential organization or customer data, which could include questionnaires and even certifications, has been accepted as adequate Due Diligence that an exposure to risk has been mitigated.
A Continuous Monitoring strategy as applied to Information Security, on the other hand ups the ante, and likely your vendor engagement. Just as news and the inclusive news alerts allow for off-review cycle identification of third-party risk threats, a similar process is needed to monitor and alert your organization to a risk threat to your sensitive data in trust with another third-party, or even maintained by your organization’s IT Infrastructure.
It is our belief that continuous Cyber Security monitoring of your own IT infrastructure and critical vendor relationships is current industry best practice, and will emerge as a de facto requirement, if not a regulation, over the next twenty-four months. Along with being best practice, it is just prudent to any risk management framework. That is quite a prediction, but given the breadth of the bad actors and the exposure and costs of an information security breach, it is a logical conclusion, but only if an effective means of monitoring was available and affordable, as we believe is now the case.
We have been aware for several years from multiple clients of the utilization of Cybersecurity monitoring solutions. We only briefly considered developing a solution, but came quickly to realize that this was its own unique discipline that exists as a co-joined complement to Third-Party Vendor Risk Management.
After a detailed review and analysis, in the fourth quarter 2019 we announced our partnership with NormShield, Inc. NormShield provides several Cyber Security monitoring solution options to allow us to offer clients a tailored mechanism to improve their Continuous Monitoring posture of their critical data repositories, either internally managed or with a third-party vendor. We believe that through this relationship with NormShield, we have capabilities that meet or exceed any expectation of Continuous Monitoring from any auditor or regulator, and have a tool set that will allow your Chief Information Security Officer a more restful night’s sleep.
For the clients where we provide our VRM Pro ™ outsourcing solutions, we are making formal recommendation for the inclusion of NormShield monitoring into their program. For all of our clients, we urge you to engage in this topic internally, and with us in the coming months.
The ability to keep pace with the dynamic environment that today’s business demands is defining expanded solutions, requirements and responsibilities for all. VendorInsight® integrated capabilities coupled with NormShield’s Cyber Security monitoring tools provide the Continuous Monitoring organizations will need today and into the future.
Request a demo today to learn how VendorInsight® can help you with your continuous monitoring and regulatory requirements.