Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Your Vendor's Information Security Control Environment Is Faulty. What Now?

4 min read
Featured Image

In a world where information security breaches are all too common, it’s vital that you verify each vendor’s information security control environment is adequate and designed to protect your organization and customer information. Evaluating a vendor’s information security controls isn’t an impossible feat. It’s actually easy to understand and even easier to apply. It really all comes down to the SSAE 18 and the SOC 1 and SOC 2 reports. These reports will tell you how well your vendor handles the confidentiality, integrity and availability of the data and controls under their purview.

Let’s discuss the confidentiality, availability and integrity of information triad. It’s actually this simple.

  • Confidentiality: Does the vendor have measures in place to prevent unauthorized disclosure of information?
  • Integrity: Does the vendor ensure the data will not be modified by unauthorized means?
  • Availability: Does the vendor ensure the information is available when needed and only to authorized personnel?

These questions must always be asked as you assess the vendor and are the foundation of a strong information security controls environment. Each has multiple parts and pieces, and each has parameters that flex to fit the needs of the vendor's information security environment.

Signs of a Weak Information Security Control Environment

Sometimes you may find that a vendor’s information security control environment is inadequate. You’ll normally see this when you request the SOC reports for a vendor. A SOC report tells you how various cybersecurity controls related to the availability, confidentiality and processing integrity are being managed and if the management of those controls is adequate.

SOC 2 reports are auditing procedures that ensure your vendors are securely managing your data to protect the interests of your organization and the privacy of your customers. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS (software as a service) provider.

Controls test the physical environment, handling of information, ability to make changes to data and overall soundness of your vendor’s processes and procedures for information security. If you find a vendor with questionable controls, you may notice they have the following:

  • Weak or no incident detection controls or incident response plan
  • A lack of adequate intrusion detection controls
  • Little or no data loss prevention controls
  • Poor physical security for data centers and other facilities
  • No business continuity or disaster recovery plans in place
  • No data classification, retention and destruction policies
  • No data encryption standards
  • No security testing
  • No information security training provided to employees, contractors or their vendors to ensure cybersecurity preparedness

So, what if you discover the vendor’s information security control environment is faulty? What do you do next?

5 Tips to Manage Faulty Information Security Controls

Here are five recommendations to manage faulty information security controls:

  1. Contact the vendor and determine if the lack of controls is temporary or if it’s beyond the vendor’s capability to deploy the relevant controls. If the vendor doesn’t have a SOC 2 report and they’re going to be handling your organization’s information or your customer’s information, that’s a key performance indicator that this may not be the vendor for your organization.

  2. Contractually request the vendor notify you as soon as an incident occurs. It’s important every vendor is aware that you want them to notify you as soon as a breach occurs or within an agreed upon timeframe. Set expectations in the contract, especially if their control environment seems faulty. If it isn’t part of your contract with the vendor, you may not be able to convince the vendor to comply with your request.

  3. Require the vendor to strengthen their controls and test frequently. A SOC report covers one year. It should be for a relevant timeframe and may have what’s referred to as a “bridge letter” accompanying it to explain the occasional few months it takes for an audited SOC report to be refreshed. Read the SOC report and see if the management responses (in the section called Management’s Assertion) the vendor supplies are reasonable explanations for why the audited items test as being weak or lacking. It your vendor’s security posture is out of whack and the vendor fails to adequately address the issues then you have another key performance indicator that the vendor has a problem with information security.

  4. Consider that things happen. Sometimes large data processors will find their controls have become inadequate over time. This is usually due to the growth of the organization and the need to update a process or procedure, or both, for specific security controls. If the vendor has a plan to correct the existing flaws, you may be wise to give the vendor the opportunity to make the correction.

  5. Determine if the vendor is still a good fit for your organization. Is the risk worth it? Is the vendor setting your organization up for so much operational and reputation risk that it may be worth making a change? That’s something you should discuss with your senior management team and the board. If your organization decides to make a change, make certain you vet the replacement thoroughly!

A stable information security control environment is important to the confidentiality and safekeeping of your organization’s data. Make sure you review the vendor’s information security posture often and request changes as needed.

Does your vendor have a strong business continuity plan too? Keep your organization safe. Download the eBook.

business recovery bcp plan

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo