NERC Security Guideline for the Vendor Risk Management Lifecycle

Chapter 1: Mitigating Risks Before Procurement

Chapter 1 states, “While deciding which vendors should be invited to participate in the RFP, the organization could consider the factors of approved entity lists, intelligence sources, and publicly available information (e.g., history of vulnerability handling, web site hygiene).”

To address this Guideline, compare firmographic details, fourth-party technologies, ESG scores, recent business and reputational insights, data breach history, and financial performance of potential vendors in a single table. Centralizing these insights in line with RFx responses gives you a holistic view of suppliers – both their fit for purpose as well as fit according to your organization’s risk appetite.

See below for additional suggested mitigations from Chapter 1.

Gather information about the vendor’s mitigation plans for specific supply chain cyber security risks, using a targeted assessment containing only relevant questions.

Prevalent enables you to use a customizable assessment to gather and correlate vendor controls to determine threats to systems and data, based on the criticality of the vendor.

The platform collates data in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk.

Include cyber security terms and conditions in the vendor contract, or identify specific deliverables to be measured.

Leverage a contract lifecycle management solution that centralizes the distribution, discussion, retention, and review of vendor contracts. Doing so will ensure that key contractual provisions, such as key performance indicators (KPIs), key risk indicators (KRIs) and service level agreements (SLAs), are included in vendor contracts and are enforced throughout the relationship.

Provide supporting evidence such as certifications or audit reports by qualified third-party assessors.

-

Request that the vendor provide a software bill of materials (SBOM) listing all components of their software and/or firmware that were developed by third parties.

-

Perform a procurement risk assessment (PRA).

-

Mitigate every high risk identified in the PRA.

The Prevalent platform centralizes documents, supporting evidence and vendor certifications into a single vendor profile associated with completed vendor risk assessments and a central risk register.

The platform also enables you to deliver recommended remediations to vendors based on risk assessment results to ensure that vendors address risks in a timely and satisfactory manner. With Prevalent, you can track remediations to conclusion with defined owners – inside your organization and in your vendor’s organization.

Chapter 2: Assessing Risks

Chapter 2 of the Security Guideline states that, “Once a vendor relationship is in place and the organization has begun obtaining products or services from the vendor, the organization needs a process for continually identifying, assessing, and mitigating both residual and new risks posed by the vendor.” To accomplish this, the Guideline suggests some of the steps in the following rows.

Focus questions specifically on protecting remote access through multi-factor authentication.

-

Use a questionnaire that asks only relevant questions.

-

Have separate questionnaire for IT and OT vendors.

-

Consider certifications such as ISO 27001 or SOC2.

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your vendor risk management program across every stage of the vendor lifecycle.

The platform includes a library of hundreds of standardized assessment templates – including questionnaires that target IT and OT domains – with customization capabilities and built-in workflow and remediation to automate everything from survey collection and analysis to risk rating and reporting.

If the vendor is unable or unwilling to complete a standardized assessment, you can use the Prevalent platform to map ISO certifications or SOC 2 reports into the central risk register view manage risks from that vendor alongside the risks gathered from other vendors’ assessments.

With Prevalent, you can validate assessment results with continuous insights into cyber threats. Consolidating all intelligence into a “single pane of glass” optimizes your risk analysis efforts.

Chapter 3: Mitigating Risks

During Product/Service Use
Chapter 3 of the Guideline recommends that the organization ask the vendor to mitigate risks identified in the assessment. The goal of risk mitigation should be to bring its value down to an acceptable level in order to reduce the likelihood and/or impact of the risk.

The Guideline says this can be accomplished through RFP or contractual enforcement, but required remediations are also an important post-contract enforcement. See some selected mitigations from the Guideline below.

Include RFP language identifying security risks and any mitigations the vendor must undertake to address those risks.

Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs) as part of vendor selection decisions. This ensures that you can select suppliers based on critical cyber security measures.

Include contract language documenting the vendor’s commitment to implement specific security controls, provide for the organization to review the vendor’s progress, and identify methods for future communication on these matters.

With Prevalent, you can centralize the distribution, discussion, retention, and review of supplier contracts. Managing supply contracts this way will ensure that you have the proper security clauses and enforcements built into the contract.

Define specific remediations.

Deliver recommended remediations to suppliers based on risk assessment results to ensure that suppliers address risks in a timely and satisfactory manner. Track remediations to conclusion with defined owners – inside your organization and in your supplier’s organization.

Chapter 4: Verifying Risk Mitigation

Chapter 4 of the Guideline requires verification that the vendor is complying with policies and mitigation steps. Possible actions include those in the following rows.

Document and communicate with the vendor the gap in performance, the expected service, and applicable contract terms or documented commitment.

Prevalent enables you to customize surveys to make it easy to gather and analyze necessary performance and contract data in a single risk register. You can also identify key contract attributes relating to SLAs or performance, populate those requirements in a central platform, and assign tasks to you and your vendor for tracking purposes.

Communicate to the vendor that performance measures will be reflected in future scoring or evaluation of new purchases of products or services.

The Prevalent platform centrally measures vendor KPIs and KRIs against your requirements by automatically extracting them from the vendor contract.

The platform also suggests remediation recommendations to ensure that vendors address risks in a timely and satisfactory manner.

Evaluate terminating the relationship with the vendor.

When a termination or exit is required for critical services, Prevelant equips you with customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more.

Chapter 5: Purchasing, Terminating and Transitioning

Chapter 5 of the Guideline reviews the procedures required to terminate a vendor relationship, including those found in the rows below.

Identify and mitigate the risks associated with the termination or transition (e.g., holding sensitive information).

-

Take an inventory of the sensitive information that the vendor holds about the organization’s systems and networks and require the vendor to attest that all information has been deleted.

Prevalent enables you to:

• Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

• Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.

• Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.

• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.

• Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.

• Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.