Risk Assessment Validation: Do Your Vendor’s Have Security Controls

BLOG 2 MINS | June 2, 2020
Vendor Risk Assessment Validation: Do Your Vendors Have the Right Security Controls in Place?

So, your vendor finally completed your assessment. But how do you validate their responses to ensure the risk assessment is accurate?

For example, what happens if your vendor claims they have data encrypted in transit, although six months later – due to a breach – you learn that they in fact do not? Is there a way to validate these security controls prior to finding out the truth the hard way? Of course, you want to work with vendors that you trust, however, there is a reason the phrase “trust, but verify” is so popular.

What are the typical vendor risk assessment validation levels?

In-depth vendor risk assessment validation can be a time-consuming process. As a result, organizations typically perform different levels of validation based on the criticality and potential risks posed by a vendor. 

– Tier 3: Self-Attestation: The organization performing the assessment does not validate the vendor’s responses, instead the vendor “self attests” to the accuracy of their answers. This validation level is typically used for low-risk, low-criticality vendors.

– Tier 2: Remote Validation: The validation of security controls is done via remote methods, such as online video conference. Some organizations may have a validation team in place to perform these remote validations, though most organizations rely on consultants (i.e. validation partners). This method of risk assessment validation is typically used for medium- to high-risk and critical vendors and will likely become more common in the era of remote work.

– Tier 1: Onsite Validation: A validation team goes onsite to the vendor’s workplace and performs an in-person control validation review. This is typically used for the most high-risk, critical vendors and is more time-consuming and costly than other vendor risk assessment validation options.

For remote and onsite validations, organizations may opt to validate all security controls, but in many cases partial control validation (focusing on key controls) may be deemed adequate based on the organization’s risk level.

How can you use inherent risk to help determine validation levels?

Understanding the inherent risk of vendors is critical when prioritizing your vendor risk assessment approach and making decisions relating to assessment validation levels. Not every risk assessment needs the same validation level. Businesses can utilize inherent risk insights to categorize vendors from low to high risk, choose the appropriate assessment type and approach, then order the appropriate validation level and length.

Don’t want to handle the validation process on your own?

OneTrust Vendorpedia makes it easy to request validations through our Cyber Risk Exchange as well as our Inherent Risk Insights to help you prioritize and streamline decision-making relating to vendor risk assessment validation. Request a demo to learn more!