Episode 106 — Third-Party Risk: Vendor Selection, RFP, RFI, RFQ, EOI, Due Diligence, and Conflicts (5.3)
In this episode, we start looking at third party risk, which is the risk that comes from relying on vendors, suppliers, contractors, service providers, consultants, cloud platforms, and other outside organizations. Even if a company has strong internal security, its risk does not stop at its own walls. A payroll provider may handle employee information. A cloud service may host customer data. A software vendor may have access to systems for support. A contractor may work inside the network. A supplier may be part of a critical business process. When another organization touches your data, your systems, your operations, or your customers, their security choices can affect you. Third party risk management helps an organization choose partners carefully, ask better questions, review evidence, and understand where outside relationships create exposure.
Before we continue, a quick note. This audio course is part of our companion study series. The first book is a detailed study guide that explains the exam and helps you prepare for it with confidence. The second is a Kindle-only eBook with one thousand flashcards you can use on your mobile device or Kindle for quick review. You can find both at Cyber Author dot me in the Bare Metal Study Guides series.
A vendor is any outside organization or person that provides a product or service to the organization. Some vendors have very little security impact. A company that delivers office furniture may matter to operations, but it may not handle sensitive data or access systems. Other vendors can create serious risk because they process payments, store records, manage infrastructure, provide software, or support critical operations. Third party risk begins with knowing what kind of relationship exists. Does the vendor access internal systems. Does the vendor store or process sensitive information. Does the vendor support a critical service. Does the vendor depend on its own subcontractors. Does the vendor operate in a different country or legal environment. These questions matter because not every vendor needs the same depth of review. Risk should guide the level of attention.
Vendor selection is the process of choosing an outside provider that can meet business needs without creating unacceptable risk. Price matters, but it should not be the only factor. A cheaper vendor may become expensive if weak security leads to downtime, data exposure, legal problems, or poor service. A good selection process considers capability, cost, security, reliability, compliance, support, reputation, financial stability, and fit with the organization’s needs. Security should be part of selection early, not added after the contract is almost signed. If a vendor will handle sensitive data, the organization needs to understand how that data will be protected before the relationship begins. If a vendor will connect to internal systems, access control and monitoring expectations should be considered before access is granted. Early review prevents awkward surprises later.
A Request for Information (R F I) is often used when an organization wants to learn what options exist. It is usually exploratory. The organization may not be ready to choose a vendor yet, but it wants to understand the market, available capabilities, common approaches, and possible solutions. An R F I might ask vendors to describe their services, experience, security practices, certifications, or general approach. You can think of it as a way to gather information before making a more specific request. In third party risk, an R F I can help the organization learn whether vendors in a certain space commonly support encryption, audit reports, privacy commitments, incident notification, or integration with existing systems. It is not usually the final buying step. It helps narrow the field and shape later questions.
A Request for Proposal (R F P) is more formal and usually asks vendors to propose a complete solution. The organization describes its needs, requirements, constraints, and evaluation criteria, and vendors respond with proposed services, methods, timelines, costs, staffing, and security practices. An R F P is useful when the organization knows what outcome it wants but needs vendors to explain how they would deliver it. In a security context, an R F P should include requirements for data protection, access control, availability, incident reporting, regulatory needs, subcontractor use, support expectations, and evidence of control maturity. The vendor’s proposal becomes part of the selection process because it shows not only what the vendor sells, but also how clearly the vendor understands the organization’s risk and business needs.
A Request for Quote (R F Q) is usually more price focused. It is often used when the organization already knows what product or service it wants and needs vendors to provide pricing, terms, and availability. An R F Q may be simpler than an R F P because it does not always ask for a full solution design. For example, if the organization needs a specific type of hardware, software license, or defined service package, it may ask multiple vendors for quotes. Security still matters, especially if the purchase affects systems or data, but the purpose of the R F Q is usually to compare cost and terms for a known requirement. On the exam, keep the distinction clear. An R F I gathers information, an R F P asks for a proposed solution, and an R F Q asks for pricing on something more clearly defined.
An Expression of Interest (E O I) is a way for vendors or organizations to signal interest in participating in a future opportunity. It may appear before a more formal selection process. The buyer may use an E O I to identify which vendors are interested and potentially qualified before sending a detailed request. The vendor may provide basic information about capability, experience, and willingness to participate. In some environments, this helps reduce the field before a full proposal process begins. From a security viewpoint, an E O I is not a substitute for due diligence. It may help identify possible vendors, but it does not prove that a vendor can protect data, meet compliance expectations, or support critical operations. Treat it as an early signal, not a final assurance.
Due diligence is the careful review performed before entering or continuing a third party relationship. It is where the organization asks whether the vendor is trustworthy enough for the role it will play. Due diligence may include security questionnaires, contract reviews, privacy reviews, financial checks, references, audit reports, compliance evidence, architecture discussions, incident history, insurance coverage, and review of subcontractor relationships. The depth of due diligence should match the risk. A vendor that has no access to data or systems may need only basic review. A vendor that stores sensitive customer information or supports a critical business process needs much more attention. Due diligence is not about trying to make every vendor perfect. It is about understanding the risk clearly enough to decide whether the relationship is acceptable and what safeguards are needed.
Security questionnaires are common in due diligence, but they should be used thoughtfully. A questionnaire may ask about access controls, encryption, logging, vulnerability management, employee screening, incident response, data retention, disaster recovery, and physical security. The answers can help identify concerns, but answers alone are not always enough. A vendor may say it has strong controls, but the organization may need supporting evidence for higher risk relationships. That evidence might include independent assessment reports, certifications, test summaries, policies, or other documents. The goal is not to collect paperwork just to fill a folder. The goal is to develop confidence that the vendor’s controls match the risk. If a vendor cannot answer basic security questions or refuses reasonable evidence requests for a sensitive service, that is a warning sign.
Third party risk also includes fourth party risk, even if the episode title focuses on third parties. A fourth party is a vendor’s vendor. For example, your organization may hire a software provider, and that provider may rely on a cloud hosting company, a payment processor, a customer support platform, or a development contractor. Those downstream relationships can affect your data and operations even though you did not select those providers directly. This is why vendor selection and contracts often ask about subcontractors, data locations, and notification requirements when those relationships change. You may not be able to review every fourth party in depth, but you still need to understand whether the primary vendor has a process for managing its own suppliers. Risk can travel through the chain.
Conflicts of interest are another important part of vendor selection. A conflict of interest exists when a person or organization has competing interests that could influence judgment, fairness, or decision making. For example, an employee involved in choosing a vendor may have a financial relationship with one of the bidders. A consultant might recommend a product because they receive referral payments. A vendor might help write requirements in a way that unfairly favors its own solution. Conflicts do not always mean someone has acted dishonestly, but they do create risk because decisions may no longer be objective. Organizations manage this by requiring disclosure, separating duties, using fair evaluation criteria, documenting decisions, and removing conflicted people from certain choices when needed. Trust in the process matters.
Third party risk management does not end when the contract is signed. Vendor relationships need ongoing monitoring because risk changes over time. A vendor may be acquired, change its security practices, move data to a new environment, suffer a breach, add subcontractors, reduce support staff, or stop meeting service expectations. The organization may also change how it uses the vendor. A service that started with low sensitivity data may later handle more sensitive information. Ongoing review helps catch those changes. Depending on the risk, monitoring may include periodic questionnaires, updated audit reports, performance reviews, incident notifications, access reviews, vulnerability discussions, and contract renewal checks. A strong vendor at selection time can become a weaker fit later if conditions change and nobody notices.
For the Security Plus S Y Zero Eight Zero One exam, keep the procurement terms connected to their purpose. An R F I helps gather information before the organization fully defines what it wants. An R F P asks vendors to propose how they would meet a need. An R F Q focuses on pricing for a more clearly defined product or service. An E O I identifies interest and possible participation. Vendor selection compares providers across business, cost, security, compliance, and operational needs. Due diligence reviews whether the vendor’s risk is acceptable before the organization depends on it. Conflicts of interest threaten fair decision making and need disclosure and control. The exam may test whether you can choose the best document or concept for a situation, so focus on what problem each one solves.
The main idea to carry forward is that third party risk is still your organization’s risk, even when another company performs the work. Vendors can extend capability, reduce cost, and provide expertise, but they can also introduce exposure through weak controls, unclear responsibilities, poor service, hidden subcontractors, or conflicts of interest. A thoughtful selection process helps the organization choose partners that fit both business needs and security expectations. R F I, R F P, R F Q, and E O I processes support different stages of that selection. Due diligence gives the organization a clearer view of the vendor before trust is granted. Conflict reviews protect the fairness and integrity of the decision. Good third party risk management does not assume every vendor is dangerous. It assumes outside relationships need careful, risk-based attention.
