Finishing the Job: The Importance of Validation & Remediation in VRM
Published On October 25, 2021
Blog Post by Brian Selfridge, Partner at CORL Technologies
At CORL, we manage Vendor Risk Management (VRM) programs for hundreds of healthcare organizations. We have learned over the years that the industry standard models for vendor risk assessments cannot scale to meet the challenges we now face to effectively mitigate the risks that vendors pose for the industry.
There are a slew of new VRM technologies hitting the market that can help to accelerate communication and reporting around vendor risk management. Examples include questionnaire automation tools, Governance Risk and Compliance (GRC) platforms, vendor risk scorecard solutions, digital workflow management tools, and more. These automation tools are helping us with some aspects of the problem like speeding up the collection of risk data from the vendor. However, these automation solutions aren't able to meet the final objective of obtaining validated, trusted risk intelligence on vendors and driving them to remediate and eliminate their risk exposures. In short, automation solutions and tech alone can’t get the job done.
CORL has taken an innovative approach to rethink and redesign the entire paradigm of vendor risk management. In addition to collecting and sharing third-party vendor risk data, we go the extra mile to validate that the information from the vendor portrays an accurate and reliable representation of their security posture. We also drive vendors to remediate identified security exposures.
Validation: Trust but Verify
There are two primary mechanisms available to verify and validate that the information a vendor has provided is accurate and reliable. The first is requesting and reviewing industry certifications like HITRUST or SOC 2 Type II (SOC 2). The second is performing a validated risk assessment including inspecting evidence of control implementations from the vendor.
Many healthcare organizations require their vendors to obtain or pursue industry cybersecurity certifications as part of the procurement process. The most common certifications required for healthcare vendors are HITRUST and SOC 2. Requiring the vendor to become certified takes the burden off of your team and puts it on the vendor to invest in getting a third-party validated assessment and certification to demonstrate their compliance with industry cybersecurity standards.
It should be noted that the vendor’s acquisition of a SOC 2 report may not be enough in and of itself to validate the strength of their security control implementation. The SOC 2 process validates the state of implementation, but the reports often include documentation of gaps or variances in control implementations as well. VRM teams need to inspect SOC 2 reports and verify if any deficiencies are present and follow up with the vendor accordingly for resolution.
If vendors aren't able to produce a third-party certification like HITRUST or SOC 2, you need to find a way to validate your vendor's responses to security questionnaires and audits. Vendors will be happy to tell you what you want to hear and, while they may not outright lie about their security controls, they will certainly look to paint as rosy a picture as possible and provide vague answers for areas where they know they have deficiencies. Unfortunately, sometimes vendors’ cybersecurity programs are so immature that the vendor may not even know where they have major risk exposures. The validation process ensures that risks become visible to all parties and are prioritized for remediation.
Remediation: Closing the Loop
Collecting risk data and information is only one part of the VRM equation. Ultimately, organizations must drive vendors to remediate the issues identified in risk assessments, otherwise, VRM teams end up just pushing paper around at the end of the day while risk exposures remain unresolved.
It is important to prioritize which areas require vendors to commit to remediation and identify specific timeframes for that remediation to occur. For example, it may not be feasible or reasonable to require vendors to have high maturity ratings in every single NIST 800-53 control, as there are hundreds of controls in that framework. Many of our customers will look at a subset of critical controls such as the vendor's vulnerability management and patching program, their penetration testing results, and their incident response plans. These critical control areas can serve as leading indicators of the vendor's cybersecurity program maturity. These are also the areas that can help combat ransomware and other prominent cybersecurity threats.
CORL’s VRM technology and processes allow us to maintain accountability for vendors by following up to make sure they meet their commitments for remediation. The advantage of our position is that vendors can’t shrug us off very easily. We keep coming back to them over and over again on behalf of dozens of their customers. We use our scale to create leverage and compel vendors to reduce risk measurably. We meticulously track and hound vendors to report back on remediation commitments to hold vendors accountable for risk mitigation.
Getting the Job Done
Effective third-party vendor risk management process must include processes to collect risk data from the vendors, assess and validate that information, and track remediation of identified risks. VRM programs that only collect vendor risk data including cyber risk scores or assessment questionnaire responses are only getting part of the way there for managing vendor risk. CORL’s VRM solution gets the job done right the first time by assessing, validating, and tracking risk remediation for our customer’s full vendor portfolio.
Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results and lowers third-party vendor risks.
What Our Clients Are Saying
“The other high value part of the CORL VSRM program is the follow through to completion. We didn’t have the time or resources to dig deep into the issues found. I see the value in the CORL organized approach: listing out remediation items; communication with our vendors; and then following-up with our vendors to dig into compensating controls, evidence of policy, etc.” - Senior Risk and Compliance Manager, Healthcare Benefits Selection Company
"The big value for me is having CORL as a 3rd party do the work for us as a small InfoSec team. Having done assessments in-house, it’s time consuming and hard to manage, and hard to know if we are following the right framework. There is a confidence level we have in CORL: when we send something over it’s going to be done correctly, no second guessing, whether a pre-Assessment or full Assessment or Remediation plans. CORL is dotting all I’s and crossing T’s, and they don’t take ‘no’ for an answer and require verification of evidence from vendors - trust but verify." - Manager of InfoSec, Large Healthcare Provider