Introduction
A large mission-driven non-profit is supported by a small but dedicated staff. The non-profit relies on a network of 40+ vendors across the country to support their nation-wide operations. The non-profit had engaged in the preliminary building of a vendor management program, but efforts were segmented by department and specific risk management activities. With contract management conducted by the legal team and basic data risk questionnaires distributed by the IT department, there was a lack of coordination between efforts and risk information was difficult to share. The result was an overall weaker risk management program that lacked standardization, centralization, and accountability.
Challenges to Effective Vendor Managment
The non-profit experienced gaps in risk coverage and missed opportunities to identify and mitigate risks that affected multiple areas of the organization. Departments struggled to keep track of vendor accreditations and contract renewal dates as the number of vendors increased. Additionally, the manual processes for these activities were a significant drain on the non-profit’s resources.
The non-profit organization also grew increasingly concerned about the cybersecurity risks associated with its vendors, particularly those handling sensitive data. The non-profit struggled to ensure compliance with security requirements and contracts due to the absence of a centralized vendor management system. Without a comprehensive approach to manage vendor risk, the non-profit was at risk of security breaches and potential legal issues.
Needing a solution that would streamline risk management processes, ensure compliance with security and contractual requirements, and maximize resources, the non-profit onboarded myCYPR for its comprehensive risk management capabilities.
Vendor Management: Accreditations and Contracts
myCYPR helped the non-profit upgraded its overall vendor management program by centralizing previously segmented legal and cyber risk management activities. With capabilities for vendor accreditation tracking, contract management, and cyber risk management, the non-profit saved time and resources across departments and streamlined use into a single platform.
The non-profit tracked renewals and ensured vendor obligations were met and maintained with myCYPR’s contract management capabilities. This alleviated the strain of manual management for the legal team. Additionally, myCYPR’s SAQ issued assessments, collected and reviewed vendor responses through the platform, providing standardized insight. This eliminated the manual process for questionnaires and made vendor risk information easier to share across the organization, saving valuable time and resources.
Third-Party Risk Management (TPRM)
myCYPR’s third-party cyber risk management features enabled the non-profit to assess the security risks associated with each vendor and take appropriate actions to mitigate those risks, maturing the previously manual procedures for gathering cyber risk intelligence. The non-profit was able to track vendor accreditations, such as SOC2 and ISO, which provided more insight into third-party security and helped ensure that the vendors’ security was resilient and up-to-date.
myCYPR’s OPSEC | SAQ assessment allowed the non-profit to identify third-party security issues, proactively remediate them, and view the organization’s total vendor risk. Each vendor received a score based on their SAQ responses, evaluating 25 key areas of cybersecurity posture against NIST and CIS controls, and weighted to consider the amount and sensitivity of data exchanged and the non-profit’s leverage. For high-risk vendors, the non-profit enabled myCYPR’s evidence collection feature for an additional tier of validation.
Conclusion
The implementation of myCYPR enabled the non-profit to streamline its vendor and cyber risk management processes, leading to substantial time and resource savings. With a comprehensive approach to managing vendors, the platform’s third-party cyber risk management capabilities, including vendor accreditation tracking and SAQ assessment, ensured compliance with both security requirements and contractual obligations.
myCYPR provided a centralized platform for the non-profit to manage its vendor relationships and enhance its third-party cyber risk management efforts. With more time and resources at their disposal, the non-profit was able to focus on their mission, knowing that the platform could effectively handle its vendor management processes. Ultimately, myCYPR proved to be a valuable tool in the non-profit’s mission to reduce vendor risk and ensure data security.