The 2014 GRC Technology Innovation Awards was filled with competition. Nominations increased to 62 over last year’s awards, and fifteen winners were selected. GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.
Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence
Managing risk and compliance across 3rd party relationships has become a significant challenge to organizations. Surveys and questionnaires given to 3rd parties are necessary, but also prove unreliable and difficult to receive high quality responses containing accurate and fully completed information. The cost of follow up and inherit reliance on vendors to be responsive reduces effectiveness and increases the cost of due diligence. Many 3rd party risk and compliance approaches lack scalability as they are labor intensive and time consuming –the resource requirements of managing the “back and forth” and due diligence process typically results in less than 20% of vendors being properly vetted. Surveys and questionnaires are can also be outdated and audit-based assessments are point-in-time evaluations. After-the-fact changes in risk may not be documented and factored into 3rd party risk scores.
Third-party breaches and regulations are increasing drastically, but effective third-party security risk management is expensive, time consuming, and resource intensive. As a result, many organizations have programs that do not provide full coverage, or provide a false sense of security. Corl’s vendorsecurityRM provides organizations with the information they need to effectively focus their vendor due diligence efforts on those vendors who present the most risk. Data breaches can be costly due to the cost of remediation, regulatory fines, and reputation damage. Corl’s risk-based approach helps organizations focus their vendor security risk management efforts where they will have maximum impact and value.
Corl’s vendorsecurityRM solution is an innovative approach to supplement surveys, questionnaires, and due diligence processes. It enables organizations to intelligently understand and reduce risk attributable to a 3rd party relationship with a particular focus on data breaches. The vendorsecurityRM solution provides a vendor score and supporting information to effectively address the question of “can my organization have confidence in this 3rd party’s ability to protect sensitive data from an unauthorized breach?” The solution overcomes the traditional barriers of transparency, 3rd party collaboration, and resource capacity to effectively deliver 3rd party vendor security risk management.
The vendorsecurityRM solution is comprised of three primary components that combine to make it innovative: 1, a comprehensive and sophisticated patent-pending algorithm to assess vendor security confidence, which was developed by a PHD led team over two years in collaboration with Fortune 500 to small size organizations; 2, big data analytics of industry specific vendor behavior, benchmarks and best practices that encompass people, process and technology and supported by dedicated research teams; and 3, community/industry collaboration through Corl’s collaboration platform.
The vendorsecurityRM solution changes the paradigm for managing vendor security risk. It demonstrates that traditional risk assessment methods may be effective at gathering data but only go so far at rating confidence, managing risk and holding vendors accountable. The solution delivers reliable indicators of risk in a significantly more timely and efficient manner than traditional approaches. Most importantly, these indicators are actionable for effectively mitigating and continuously managing vendor risk. The solution also reduces regulatory compliance exposure for organizations that do not consistently follow through on vendor assessment and remediation processes.
Corl’s vendorsecurityRM supports a comprehensive vendor security program comprised of 4 steps:
- Profiling. Identify and document information security risks for existing and prospective vendors (e.g. RFP respondents)
- Due Diligence. Corl’s vendorsecurityRM reports are the basis for an effective due diligence process, allowing organizations to focus efforts on vendors that present the least confidence to protecting sensitive information such as PHI.
- Risk Strategy. Corl’s vendorsecurityRM program monitors and reports on required or recommended remediation to be completed by the vendor based on due diligence findings.
- On-going Monitoring. Corl’s vendorsecurityRM program continuously monitors vendors for changes that affect information security risk, and provides clients with automatic alerts when such changes are detected.
Corl’s vendorsecurityRM solution is a multi-tenant SaaS-based solution built on Microsoft technology and is currently in production with some large healthcare firms, both providers (hospitals) and payers (health insurers), and plans to roll out additional industry solutions in the future.
To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients