In my previous post, we discussed how to generate your third-party or vendor pool, how to assign a quantitative profile based on the risk they present to your organization, creating the appropriate risk scale based on your organizational risk appetite, and the use of tools to support the collection and correlation of large amounts of information. Today we’ll look a bit closer in regards to the assessment process, risk identification and treatment, and continuous monitoring.
Conducting the Assessment
Questionnaires are seldom “internal and proprietary,” as they are sometimes described as being. When adhering to regulatory or a compliance requirement, there are only so many ways to ask the same questions to generate the anticipated results and produce the desired evidence to support responses. Negotiate and set appropriate timelines, with a set start and target finish date for questionnaire completion, evidence gathering, risk identification, report release, and remediation follow-through. Knowing that you may and should have visibility to sensitive information, it is the assessing firm’s responsibility and expectation to ensure that throughout the assessment process:
1) the assessed organization is confident in the safety, confidentiality, and integrity of the data being shared.
2) data is only retained if there is a business need to do so and for as short of a defined timeframe as is required.
When Is Going Onsite Appropriate?
Onsite assessments are expensive, time-consuming and rarely provide additional insight that cannot be gained from other secure information sharing options, unless 1) physical and/or environmental aspects of the assessment are paramount and first-hand observation is mandatory, 2) the choice of the third-party to retain absolute control of their data or 3) the relationship is new or has had a material change and nature of the service being provided or data being shared with the third-party is highly sensitive.
Risk Mitigation and Reporting
Upon completion of the assessment, including a review of a completed questionnaire, any supplied documentation, evidence to support questionnaire responses, the next step is to put together a report detailing who the third-party is, the locations and detail of services within scope, gaps between what the third party has in place and the expected controls necessary to adequately protect any data they are being provided.
The risk appetite of the organization coupled with the scope of the assessment and the sensitivity of the data the third-party will receive may dictate the risk mitigation strategy, be it acceptance, avoidance, transference or reduction/remediation. If remediation is the chosen path, considerations should be made when working with your third-party to create reasonable plans. While policy creation and roll-out should take no more than 15-30 days, capital expenditures (i.e. hardware/software purchases, program creation and development, servers, etc) may take several months to get budgeted, planned and implemented.
As long as the relationship remains intact, the third-party risk is not going away. There are several reasons to implement continuous monitoring of third-party cyber risk, including the expansion or decrease of services, material change to a provider’s location or facilities, etc. Re-reviewing the risk associated with the third party or continual monitoring of third-party relationships, controls and activities are vital for meeting regulatory and compliance requirements, for the health of the relationship and the safekeeping of customer information.
Pinpointing and mitigating risks throughout your ecosystem is vital to the security of your organization and requires an effective third-party cyber risk management program. Having built several programs, here is the full list of the steps I suggest you take when creating your own program (you can read more about the points not covered here in my last article):
- Generate your third-party or vendor pool
- Assign a quantitative profile based on the risk a third-party poses to your organization
- Create the appropriate risk scale based on your organizational risk appetite
- Use tools to support the collection and correlation of large amounts of information
- Conduct an assessment (which may include going onsite if needed)
- Continuously monitor your third-party relationships to detect any changes in your ecosystem that may affect you
SENIOR SECURITY RISK ANALYST