Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2021-cropped
State of Third-Party Risk Management 2021

Venminder’s State of Third-Party Risk Management 2021 survey provides insight into how organizations are managing third-party risk management in today’s increasing regulatory and risky climate.

DOWNLOAD NOW

Top 10 Questions in Vendor Cybersecurity Questionnaires

3 min read
Featured Image

When creating a vendor questionnaire or reviewing a questionnaire completed by a vendor, it’s essential to ask the right questions so you can fully understand the vendor’s cybersecurity environment. Use the following 10 questions to make sure you're providing and receiving the most important cybersecurity information from your vendors.

The Top 10 Vendor Cybersecurity Questions

Here are the top 10 cybersecurity questions in vendor questionnaires:

  1. Are penetration tests performed by a qualified third-party vendor? If so, how often are they performed and when was the last test performed? Ensuring your vendor has regularly scheduled penetration tests performed by a third party is essential in knowing how secure their environment is and identifying the weaknesses so they can be secured before they’re exploited by an attacker.

  2. Is there a formal information security  program in place? A security program provides the framework for keeping a company at a desired security level. The program is key in assessing risks, deciding how to mitigate those risks and forming plans to keep the security practices current.

  3. Is there a formal process to review user access? This process is important to verify who should and shouldn't have access to your system. Failures in logical access review procedures are the top reason for exceptions in SOC reports.
  4. Has your vendor implemented the principle of least privilege and multi-factor authentication for remote access? Role-based access privileges determine what type of data is needed for certain employees to perform their duties. Also, with the significant increase of remote workers, ensuring multi-factor authentication (MFA) is required for remote access adds an extra layer of protection against compromised credentials.

  5. How is data protected in transit between the vendor and the client as well as between the vendor and the end-user? How is data at rest protected on servers and backup media? Encryption of data in both in-transit and at-rest stages is extremely important to keep it safe from unauthorized access.

  6. Is expired media (hard drives, flash drives, CDs, documents, etc.) securely disposed? Physical and electronic data should never be tossed out with the regular garbage, as it could easily be stolen and compromised.  This has become more difficult with the adoption of public cloud services as data may move across multiple physical systems and reside on shared resources.

  7. Are employees and contractors required to attend security training? Users of all systems should be properly educated on security awareness to limit human errors that can harm your IT infrastructure and information. 

  8. What due diligence  is performed on contractors and vendors before and after the contract stage? Performing due diligence on your vendor’s third party (your fourth party) is especially important if they have access to your data. You want to make sure they have a secure environment to help keep your information secure.

  9. Is there a formal incident management program in place? Proper incident handling procedures allow situations to be analyzed and prioritized so that the next appropriate course of action can be taken to address the problem. Breach notification is a vital part of incident management and is now included within multiple regulations with particular emphasis on vendor reporting.

  10. Does your vendor have technical prevention measures in place? Security tools such as firewalls, anti-virus products and intrusion detection and prevention systems can be used to help secure your network. 

The next time you find yourself creating or reviewing a vendor’s cybersecurity questionnaire remember to include the questions listed here. It may take some time to fully build and/or review a comprehensive cybersecurity questionnaire, but it could save you a lot of time and risk exposure in the future. It’s an invaluable tool that provides a lot of insight. 

Not sure if you have all your boxes checked?  Ensure you have everything covered. Download this checklist.

vendor cybersecurity checklist

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo