NCDIT Vendor Risk Management Workshop
Four Days to More Effective Vendor Risk Management
A recent major supply chain attack on a prominent U.S. information technology firm highlights the need for due diligence around vendor risk management. Find out what you should be doing to help bolster our whole of state approach to cybersecurity.
Register by 5 p.m. May 31Workshop Details & Schedule
Join the N.C. Department of Information Technology on June 2, 3, 4 and 10 for a free four-day virtual vendor risk management workshop, facilitated by Info-Tech Research Group, to help bolster our whole-of-state approach to cybersecurity by:
- Eliminating or reducing the frequency and severity of data breaches, data leaks and cyberattacks involving third- and fourth-party vendors
- Protecting sensitive data, personally identifiable information and protected health information
- Helping ensure the continuity of your agency’s operations
Organizations that don’t take a risk-based approach to vendor due diligence struggle with:
- Business units circumventing their controls
- Vendors who refuse to cooperate
- Lack of internal resources to meet demand for vendor assessments
- Limited scopes that don’t assess changing risks
Taking a risk-based approach to vendor due diligence will:
- Win over reluctant internal clients
- Encourage vendors to fully cooperate with assessments
- Reduce the costs of performing vendor assessments
This four-day workshop will begin at 9 a.m. and end at 4 p.m. each day and will have a 30-minute lunch break at noon.
|
Date & Time |
Module |
|---|---|
| June 2, 2021 | Define Governance & Process |
| June 3, 2021 | Define Methodology |
| June 4, 2021 | Continue Methodology |
| June 10, 2021 | Deploy Process |
Define Governance & Process
Purpose
- Understand business and compliance requirements.
- Identify roles and responsibilities.
- Define the process.
Key Benefits Achieved
- Understand the key goals for process outcomes.
- Documented service that leverages existing processes.
| Activities | Outputs |
|---|---|
| Review current processes and pain points. | |
| Identify key stakeholders. | RACI matrix |
| Define policy. | Vendor security policy |
| Develop process. | Defined process |
Define Methodology
Purpose
- Determine methodology for assessing procurement risk.
- Develop procedures for performing vendor security assessments.
Key Benefits Achieved
- Standardized, repeatable methodologies for supply chain security risk assessment.
| Activities | Outputs |
|---|---|
| Identify organizational security risk tolerance. | Security risk tolerance statement |
| Develop risk treatment action plans. | Risk treatment matrix |
| Define schedule for re-assessments. | |
| Develop methodology for assessing service risk. | Service risk questionnaire |
Continue Methodology
Purpose
- Develop procedures for performing vendor security assessments.
- Establish vendor inventory.
Key Benefits Achieved
- Standardized, repeatable methodologies for supply chain security risk assessment.
| Activities | Outputs |
|---|---|
| Develop vendor security questionnaire. | Vendor security questionnaire |
| Define procedures for vendor security assessments. | |
| Customize the vendor security inventory. | Vendor security inventory |
Deploy Process
Purpose
- Define risk treatment actions.
- Deploy the process.
- Monitor the process.
Key Benefits Achieved
- Understanding of how to treat different risks according to the risk tolerance.
- Defined implementation strategy.
| Activities | Outputs |
|---|---|
| Define risk treatment action plans. | Vendor security requirements |
| Develop implementation strategy | Understanding of required implementation plans |
| Identify process metrics | Metrics inventory |
The NCDIT Vendor Risk Management Workshop is for information security officers and security liaisons in North Carolina state government.
Although the workshop is free, you must register by 5 p.m., Monday, May 31, with your official organization email account.
Have Questions?
For more information, contact Rob Main at rob.main@nc.gov.