Skip to main content

Vendor Risk

Third-Party Risk Assessment

A vendor review workflow covering due diligence, control questions, risk scoring, and onboarding recommendations.

Organization
Cybersecurity Internship Portfolio
Duration
2 weeks
Project Type
Vendor Risk
NIST CSFISO 27001CIS Controls

Business Context

Why the work mattered

Third-party services can introduce operational, compliance, and data protection risk. This project created a practical assessment model for reviewing vendors before onboarding or renewal.

Objectives

Engagement goals

Design a vendor security questionnaire.

Classify vendor criticality by data and business dependence.

Document risk scoring and review outcomes.

Recommend follow-up actions for high-risk vendors.

Methodology

Structured process

The methodology explains how the work moved from context gathering to documented recommendations.

  1. Step 1

    Criticality Review

    Determine review depth based on business dependence.

    Classified vendors by data access, service importance, and operational impact.

  2. Step 2

    Questionnaire Design

    Collect relevant security evidence.

    Built questions covering access, encryption, incident response, business continuity, and compliance.

  3. Step 3

    Scoring

    Compare vendors consistently.

    Developed criteria for low, medium, and high-risk outcomes.

Deliverables

Artifacts produced

Third-Party Risk

Vendor Security Questionnaire

Assessment template for collecting relevant vendor security information.

Improves consistency and evidence quality during vendor reviews.

Skills Demonstrated

Professional competencies

Vendor AssessmentQuestionnaire DesignRisk Scoring

Outcomes

Project impact

  • Vendor review criteria became more consistent.
  • Security and business stakeholders gained a shared risk language.

Lessons Learned

Professional growth

Vendor risk review should be proportional to business dependence and data sensitivity.

Related Projects

Continue exploring

Governance

Governance Policy Development

A structured policy development engagement aligning security expectations with business objectives and recognized frameworks.

ISO 27001NIST CSFCIS Controls
Policy DevelopmentControl MappingTechnical Writing
View case study

Internal Audit

Internal Cybersecurity Audit

An internal assessment that reviewed security controls, documented gaps, and produced a prioritized remediation roadmap.

NIST CSFCIS ControlsISO 27001
Internal AuditGap AnalysisRisk Reporting
View case study

Risk Management

Enterprise Risk Assessment

A risk assessment project documenting assets, threats, likelihood, impact, and treatment options for management review.

CIS RAMNIST CSFISO 27001
Risk AssessmentRisk RegisterBusiness Impact Analysis
View case study

Discuss GRC opportunities

Contact Osen after reviewing this project or download the resume for a concise overview.