If you have a partner that trusts you with their business – and therefore, data – chances are, you’ll be subject to a third-party cyber risk assessment. There’s plenty of steps you can take to prepare and plan for the assessment, but how do you efficiently and effectively participate in (and complete) a cybersecurity assessment?
Take Advance Action
It’s not enough to know the answers to the basic assessment prep questions. After you have a firm grasp of the basic information, it’s time to get busy!
- Identify internal stakeholders.
- Who knows the answers to the questions in the assessment? Often times this step requires multiple calls, emails, and meetings. It may be beneficial to consult an organizational chart and begin by briefly contacting individuals who direct or manage likely departments (e.g. Cybersecurity, Legal, Information Technology, etc.).
- Who should conduct quality assurance on assessment responses? The format of the assessment may allow your organization to provide written responses. In some cases, it is appropriate for highly placed individuals such as CISOs or internal general counsel to review the completed assessment prior to it being submitted.
- How are you going to communicate with, and organize all of these stakeholders? Consider creating an overall working group, and individual sub-committees, comprised of all appropriate internal individuals. These groups may include leadership, middle-management, and technical staff and may meet at a frequency commiserate with their involvement in the assessment.
- Collect supporting materials and evidence artifacts.
- What policies, procedures, and standards are likely to be requested during the assessment? Now is the time to make sure you’ve got your basic “ducks” in a row. These types of documents are almost always going to be needed so go ahead and ensure that they are accurate, current, and accessible.
- How will analysts, assessors, or auditors access the supporting documents? If supporting documentation and evidence is a requirement of your assessment, you will need to decide how to provide this documentation in a secure and organized way. Consider creating a well thought out artifact repository that allows you to manage access, auditing, etc. One of the many perks of this type of repository is that it can be archived for future reference.
- What materials and documentation are required for the assessment? If in doubt, confirm as early as possible the types of documentation that will be required as part of the assessment. In some cases, the expectation is fairly light, including high level information such as policies and procedures. In other cases, you may be asked for screenshots of configuration settings, outputs from vulnerability scans, examples of incident response tickets, etc. It is best to avoid being surprised by these requests.
- Jumpstart the risk mitigation and remediation process.
- How can you get ahead of the assessment results? It is a great idea to conduct internal, periodic assessments so that you can preemptively identify potential risks and begin taking appropriate action.
Execute Your Third-Party Cyber Risk Assessment Like a Champ
Preparation is key to a successful cyber risk assessment, but how you conduct yourself during the assessment is also critically important.
- Document everything.
- How will you keep track of the small details during the assessment? Make sure that every meeting with assessors is attended by a “scribe”. It is often difficult to keep up with the rapid-fire, highly technical requests and discussions that occur throughout an assessment. Having an individual dedicated to taking notes and distributing them to meeting participants is an excellent way to ensure appropriate expectations have been set, and that nothing has been overlooked.
- How do you know what needs to be done? A variety of action items are likely to be identified throughout the assessment. If you’ve identified a scribe for all meetings, ensure that they are capturing all action items and reviewing them with all attendees before a meeting is adjourned.
- Prepare to address identified risks.
- Can you make changes to your program, product, or information system while the assessment is ongoing? In many cases it is expected that the target of an assessment will remain static until the assessment is complete. However, some assessments include a brief remediation period after initial draft findings have been identified. If this is the case, be sure you know when your remediation window will occur, ensure that the appropriate internal stakeholders are available, and document all actions taken.
- Who else, internally, needs to know about assessment activities? Make sure that you appropriately update your leadership about the ongoing assessment process, outcomes, and associated actions. This information can have a significant impact on overall business decisions, budget planning, contract negotiations, etc.
Cybersecurity assessments are not fun, but you can reduce the pain and anxiety associated with them by implementing some common preparedness best practices. The recommendations above are just a sampling of ideas that can turn an uncomfortable and chaotic experience into a productive and valuable exercise.
DIRECTOR OF ASSESSMENT OPERATIONS