Moody’s recently launched their Vendor Information Risk (VIR) ratings service. The main objective of this service is to reduce the overall burden of conducting risk assessments for organizations, as well as their service providers. The whole idea being that if Moody’s can do a risk assessment on behalf of multiple subscribers, it can make the assessment process a lot more efficient. The service provider will not have to go through multiple assessments and the subscribers will share the cost, and therefore have a much lower price point.
Many CISOs I talk to are sick of performing third party risk assessments; it takes up valuable time, is expensive, and most importantly, pulls resources away from doing actual security work within the company. On the other hand service providers are also having a hard time keeping up with these assessments. A compliance manager at a large service provider estimated that they responded to over 300 audit requests in 2007, and that number would be around 400 in 2008. Thus, a service like this could potentially save millions of dollars for service providers and subscribers.