An Information Security Perspective on Vendor Risk Management

Vendor Risk Management (VRM) is defined as a “plan to identify and decrease potential business uncertainties and legal liabilities involving a vendor.” With our ever-evolving electronic world, Vendor Risk Management is especially important from an information security perspective.

Why is the practice of evaluating vendors so important? Findings from the Ponemon Institute show that “49% of companies had a data breach caused by a third party vendor.”

Over the past few years, the rise of mobile, cloud and social technologies changed our working systems, infrastructures and processes. In fact, this shift toward an ever-connected world has given businesses both a greater choice and variety of vendors to deal with, but also the reality that now cyber criminals have a broader area to attack.

When a business works with vendors:
* Sensitive data may be transmitted, stored, and processed on both company and vendor networks.
* It is important to know and understand the legal requirements and mandates regarding risk management policies with vendors, contractors, and consultants.
* It is important to know not only what risks you can contractually pass along to the vendor, but also what your vendors are contractually requiring of you.

When handling your sensitive information, failing to account for the risks associated with vendors could nullify even the best internal precautions taken by your company. Vendor Risk Management should be considered in conjunction with your internal protective measures.

This seminar will provide technical and legal guidelines for companies and vendors alike to encourage a more secure culture surrounding Vendor Risk Management. Help you understand your obligation when working with vendors to ensure the security of your data. And guide you to making better decision on picking the right vendor for your company.

Upcoming Course:


In-Company Training

Many courses offered by CESE are also available on-site. In-company training simplifies scheduling, ensuring more of your employees will be able to attend and learn. Request a Course Quote


Jerald Dawkins, Ph.D.
Heidi L. Shadid, J.D.
Youssef Mhemedi,CISSP, CIPT, CTPRP

Who Should Attend

  • Risk Management Officers
  • General Counsels/Attorneys
  • Chief Information Security Officers
  • Project Managers
  • Executives
  • Vendors who want to work with Companies
  • Companies who want to work with Vendors

The 5, 4, 3 of Vendor Risk Management

5 Things to Learn:

  • How to evaluate vendors to determine if you are working with the right partner.
  • How to establish and manage a vendor management program.
  • How to review reports or attestations on compliance and determine how they factor into your risk decision process.
  • What language to look for in contracts and what language to avoid..
  • Your organization’s responsibilities to ensure a secure relationship with a vendor.

4 Red Flags:

  • Assumptions – making assumptions about the security of your vendors
  • Evaluation – not asking the right questions when evaluating vendors
  • Mitigation – preparing for when something goes wrong
  • Impact – understanding your responsibilities in the relationship with the vendor

3 Ways to Protect:

  • Ensure you know and have the appropriate legal requirements
  • Establish a Vendor Management Program
  • Trust but validate

Course Outline Summary

Understanding the Risk
* Data Supply Chain – Evaluating Existing Relationships
* Regulatory /Standards Assessment
* Contract Review Process
* Case Study
Mitigating the Risk
* Developing a Vendor Management Program
– Compliance Monitoring
– Technical Monitoring
– Threat Monitoring
* Mitigation Strategies
– Limiting Access
– Tracking
– Vendor Monitoring
* Case Study

Walk Away With:

– A Cyber Security Risk Management Strategy for Vendors
– Security Assessment List of Questions
– A Better Grasp of the Legal Language

Date, Time, Location



This course qualifies for:
– 11 PDHs (Professional Development Hours)
– 1.1 CEUs (Continuing Education Units)
– Oklahoma Bar Association: 15.50 General CLEs