NCDIT Vendor Risk Management Workshop

Workshop Details & Schedule

Tab/Accordion Items

Join the N.C. Department of Information Technology on June 2, 3, 4 and 10 for a free four-day virtual vendor risk management workshop, facilitated by Info-Tech Research Group, to help bolster our whole-of-state approach to cybersecurity by:

  • Eliminating or reducing the frequency and severity of data breaches, data leaks and cyberattacks involving third- and fourth-party vendors
  • Protecting sensitive data, personally identifiable information and protected health information 
  • Helping ensure the continuity of your agency’s operations

Organizations that don’t take a risk-based approach to vendor due diligence struggle with:

  • Business units circumventing their controls
  • Vendors who refuse to cooperate
  • Lack of internal resources to meet demand for vendor assessments
  • Limited scopes that don’t assess changing risks

Taking a risk-based approach to vendor due diligence will:

  • Win over reluctant internal clients
  • Encourage vendors to fully cooperate with assessments
  • Reduce the costs of performing vendor assessments

This four-day workshop will begin at 9 a.m. and end at 4 p.m. each day and will have a 30-minute lunch break at noon.

Date & Time

Module
June 2, 2021 Define Governance & Process
June 3, 2021 Define Methodology
June 4, 2021 Continue Methodology
June 10, 2021 Deploy Process

Define Governance & Process

Purpose

  • Understand business and compliance requirements.
  • Identify roles and responsibilities.
  • Define the process.

Key Benefits Achieved

  • Understand the key goals for process outcomes.
  • Documented service that leverages existing processes.
Activities Outputs
Review current processes and pain points.  
Identify key stakeholders. RACI matrix
Define policy. Vendor security policy
Develop process. Defined process

Define Methodology

Purpose

  • Determine methodology for assessing procurement risk.
  • Develop procedures for performing vendor security assessments.

Key Benefits Achieved

  • Standardized, repeatable methodologies for supply chain security risk assessment.
Activities Outputs
Identify organizational security risk tolerance. Security risk tolerance statement
Develop risk treatment action plans. Risk treatment matrix
Define schedule for re-assessments.  
Develop methodology for assessing service risk. Service risk questionnaire

Continue Methodology

Purpose

  • Develop procedures for performing vendor security assessments.
  • Establish vendor inventory.

Key Benefits Achieved

  • Standardized, repeatable methodologies for supply chain security risk assessment.
Activities Outputs
Develop vendor security questionnaire. Vendor security questionnaire
Define procedures for vendor security assessments.  
Customize the vendor security inventory. Vendor security inventory

Deploy Process

Purpose

  • Define risk treatment actions.
  • Deploy the process.
  • Monitor the process.

Key Benefits Achieved

  • Understanding of how to treat different risks according to the risk tolerance.
  • Defined implementation strategy.
Activities Outputs
Define risk treatment action plans. Vendor security requirements
Develop implementation strategy Understanding of required implementation plans
Identify process metrics Metrics inventory

The NCDIT Vendor Risk Management Workshop is for information security officers and security liaisons in North Carolina state government.

Although the workshop is free, you must register by 5 p.m., Monday, May 31, with your official organization email account.

Register Now

Have Questions?

For more information, contact Rob Main at rob.main@nc.gov