NCDIT Vendor Risk Management Workshop
Workshop Details & Schedule
Join the N.C. Department of Information Technology on June 2, 3, 4 and 10 for a free four-day virtual vendor risk management workshop, facilitated by Info-Tech Research Group, to help bolster our whole-of-state approach to cybersecurity by:
- Eliminating or reducing the frequency and severity of data breaches, data leaks and cyberattacks involving third- and fourth-party vendors
- Protecting sensitive data, personally identifiable information and protected health information
- Helping ensure the continuity of your agency’s operations
Organizations that don’t take a risk-based approach to vendor due diligence struggle with:
- Business units circumventing their controls
- Vendors who refuse to cooperate
- Lack of internal resources to meet demand for vendor assessments
- Limited scopes that don’t assess changing risks
Taking a risk-based approach to vendor due diligence will:
- Win over reluctant internal clients
- Encourage vendors to fully cooperate with assessments
- Reduce the costs of performing vendor assessments
This four-day workshop will begin at 9 a.m. and end at 4 p.m. each day and will have a 30-minute lunch break at noon.
Date & Time |
Module |
---|---|
June 2, 2021 | Define Governance & Process |
June 3, 2021 | Define Methodology |
June 4, 2021 | Continue Methodology |
June 10, 2021 | Deploy Process |
Define Governance & Process
Purpose
- Understand business and compliance requirements.
- Identify roles and responsibilities.
- Define the process.
Key Benefits Achieved
- Understand the key goals for process outcomes.
- Documented service that leverages existing processes.
Activities | Outputs |
---|---|
Review current processes and pain points. | |
Identify key stakeholders. | RACI matrix |
Define policy. | Vendor security policy |
Develop process. | Defined process |
Define Methodology
Purpose
- Determine methodology for assessing procurement risk.
- Develop procedures for performing vendor security assessments.
Key Benefits Achieved
- Standardized, repeatable methodologies for supply chain security risk assessment.
Activities | Outputs |
---|---|
Identify organizational security risk tolerance. | Security risk tolerance statement |
Develop risk treatment action plans. | Risk treatment matrix |
Define schedule for re-assessments. | |
Develop methodology for assessing service risk. | Service risk questionnaire |
Continue Methodology
Purpose
- Develop procedures for performing vendor security assessments.
- Establish vendor inventory.
Key Benefits Achieved
- Standardized, repeatable methodologies for supply chain security risk assessment.
Activities | Outputs |
---|---|
Develop vendor security questionnaire. | Vendor security questionnaire |
Define procedures for vendor security assessments. | |
Customize the vendor security inventory. | Vendor security inventory |
Deploy Process
Purpose
- Define risk treatment actions.
- Deploy the process.
- Monitor the process.
Key Benefits Achieved
- Understanding of how to treat different risks according to the risk tolerance.
- Defined implementation strategy.
Activities | Outputs |
---|---|
Define risk treatment action plans. | Vendor security requirements |
Develop implementation strategy | Understanding of required implementation plans |
Identify process metrics | Metrics inventory |
The NCDIT Vendor Risk Management Workshop is for information security officers and security liaisons in North Carolina state government.
Although the workshop is free, you must register by 5 p.m., Monday, May 31, with your official organization email account.
Have Questions?
For more information, contact Rob Main at rob.main@nc.gov.