The podcast by Carrie Whysall discusses the significance of vendor risk management (VRM) during the COVID-19 pandemic, emphasizing the necessity of managing third-party risks. It outlines a structured approach for establishing a VRM program, including identifying and categorizing vendors based on risk levels, as well as conducting assessments to address potential vulnerabilities. Challenges such as staffing shortages and the importance of outsourcing are also highlighted, along with practical tips for effective risk management.

1. 1
A Podcast by Carrie Whysall
CynergisTek, Inc.
Supply Chain and Third-Party
Risks During COVID-19

2. 2
© Carrie Whysall, 2020
Hello! I’m Carrie Whysall, Director of Managed Security Services at
CynergisTek, Inc. I’m here to introduce, and explain the importance of supply
chain, and third-party risks during the time of COVID-19.

3. 3
What is vendor risk management?
© Carrie Whysall, 2020
It’s really the process of building relationships with your vendors. This includes
creating both formal and informal processes that protect and enhance the
organizational strategies for both parties in the relationship. The goal here being
having a transparent relationship that allows for a better understanding of the
services provided and the risks that are inherit in that relationship.

4. 4
 Health Alliance Plan on March 6, 2019. This breach of 120,000 records was caused by
ransomware that their third-party vendor Wolverine Solutions Group became infected with. The
same third-party vendor was also the cause of a breach at Spectrum Health Lakeland. This one
is very concerning because not only did they get patient data, they got detailed provider info as
well.
 Federal Emergency Management Agency (FEMA) on March 22, 2019. This breach of 2.5 million
records is wrong in so many ways. After these victims were traumatized by hurricanes, they
were victimized a second time when a contractor being used by FEMA didn’t protect the
information that was provided to them.
 Quest Diagnostics on June 3, 2019. This breach exposed almost 17 million records. The breach
occurred because a hacker took control of a payments page that was being hosted by AMCA, a
third-party billing vendor used by Quest.
 Essentia Health on July 10, 2019. This breach was due to their third-party vendor California
Reimbursement Enterprise being the victim of a phishing attack. It has been nice months and
they are still unclear as to how many records were exposed.
© Carrie Whysall, 2020
Why is VRM so important?

5. 5
© Carrie Whysall, 2020
An effective VRM program starts by comprehensively determining potential third-
party risks including process risks, political risks, unwanted functions, contract risks,
legal as well as regulatory issues for non-compliance, and information system
failures. This risk identification procedure should be followed by an evaluation of the
precise drivers that increase third-party risk.
VRM programs… where do I start?

6. 6
© Carrie Whysall, 2020
4 tips for creating a VRM Program:
#1 Compile
#2 Classify
#3 Assess
#4 Decide

7. 7
© Carrie Whysall, 2020
#1 Compile
Implementing the program starts by knowing all your vendors. Start with your finance
or accounting contacts to see what they have.

8. 8
© Carrie Whysall, 2020
#2 Classify
Vendors need to be classified by how much potential risk they pose to the
organization. The potential risk is based on the potential impact that a breach
involving the vendor would have on the organization annually. This step is critical to
success and should not be decided by IT alone. If you have a current Mission Critical
and/or business critical list of applications are great places to start.

9. 9
© Carrie Whysall, 2020
#3 Assess
There are typically two types of assessments that correspond with the two
classifications determined in the vendor classification form and each classification
follows a different assessment process.
For low risk vendors you may be able to complete the questionnaire with information
known internally to your organization. Once completed the questionnaires should be saved
with the vendor’s classification form and reviewed annually.
For high or critical risk vendors, it will require a more formal process which should include
documented responses from the vendors.

10. 10
© Carrie Whysall, 2020
#4 Decide
For each of the high-risk vendors, a decision must be made of what to do with the risks
discovered through the assessment process.
 Risk Accepted: Accept the risk “as-is” without any additional effort on the part of
the organization or the vendor.
 Risk Accepted with remediation plan.
 Risk Unacceptable: There are two options for this finding.
 Work with the vendor on remediation/mitigation on their side.
 Decide to terminate the contract based on risk and follow the terms set forth
in the contract regarding termination of services.
 Note: one of the biggest mistakes an entity can make in this phase is
creating a remediation plan without follow through. Nothing stings more
than having an exposed risk occur because you didn’t complete the
remediation.

11. 11
© Carrie Whysall, 2020
What types of assessments are
there ?
Pre-Procurement Assessment: this is typically a shorter assessment that is based primarily on
the organizations security policy with focus on technology, data storage, and connectivity
requirements. The goal here being that a quick decision on whether or not to use this product
from a particular vendor.
HIPAA-Based Risk Assessments: these are typically much longer assessments that focus on a
much broader range of HIPAA regulations. The questions are more in depth and typically
require detailed responses from a vendor. These assessments are also typically where a risk
level is assigned to a vendor.

12. 12
What Are Some of the Challenges?

13. 13
© Carrie Whysall, 2020
What issues arise throughout the
process?
 Asking the right questions.
 Having access to the contract documents.
 Getting the correct documents back for the vendors.
 Getting responses in a timely manner.
 Ensuring that going forward you update new contracts with requirements
for meeting your security requirements and retaining the ability to assess of
audit them periodically.
 Adding automation where you can.
 Effective use of the data you have gathered.
 Where else would this data be helpful to the organization?
 SOC/SIEM feeds
 Cyber insurance validation
 Supply chain

14. 14
© Carrie Whysall, 2020
What about staffing?
 Vendor management can have a significant impact on staffing. Most entities do not have
additional bodies to pull for these efforts. Especially right now while we are struggling to staff
COVID-19 Units while having to institute furloughs in our elective procedure areas.
 At first the typical attempt is to assign portions of existing staff to this activity. These are
usually either existing security or compliance staff. Early efforts may be via Excel
spreadsheets and tracked manually.

15. 15
© Carrie Whysall, 2020
…And what about outsourcing?
 Allows an organization to leverage the experience and existing vendor relationships the
outsourcer already has.
 Provides the benefit of access to subject matter experts (SME’s). No need to train existing
staff on the process.
 The agreements should contractually set SLA’s and turnaround times for expedited
requests.
 A higher number of assessments can be completed as the outsourced staff is working full
time on them not as part of another role.
 Standardized risk valuations, typically through the use of templates, which include – critical,
high, moderate, and low and clear definitions of each value.
 Assigning the assessment portions to a partner allows you to focus on remediation plans
and tasks instead of time on the phone or in email tracking down answers.

16. 16
© Carrie Whysall, 2020
Thanks for tuning in! For more COVID-19 related podcast content, please visit
www.cynergistek.com/podcasts.