Do Onsite Third Party Risk Assessments Add Value or Risk?

by Justin Luebke

With the state of current affairs including global pandemic planning, restrictions on travel and restrictions on gathering; can organizations gain the same level of trust and assurance remotely as they can onsite?  Yes, under most circumstances I believe we can if we are asking to see the right evidence and information.

Security and due diligence audits of third-party relationships are nothing new.  In the course of my 30-years in the IT security industry and 15-years working in third-party risk management space, I have had the opportunity to conduct hundreds of onsites, primarily for the financial services and insurance clients.  While there are currently no regulatory requirements I have been able to find for conducting an onsite review of a third-party relationship (OCC, FDIC, FFIEC, etc), many regulations stipulate that onsite visits, “may be useful,” (OCC Bulletin 2013-29) in assessing operational, physical or environmental risk.  

With the current web conferencing technologies available at reasonable pricing, bandwidths capable of live streaming at 4K definition and virtual data room repositories with satisfactory security available, the same level of due diligence can be accomplished from anywhere for a fraction of the cost.

In my experience and based on a cost-benefit analysis, there are still outlying cases when it would be prudent to conduct a physical onsite:

  • There are technological or policy restrictions that limit any other method of information sharing
  •  It is a new relationship and the third party is going to be receiving or processing regulated data and they have no audit mechanisms or reporting vehicles in place
  •  The third party has experienced a data breach or performance discrepancies, and firsthand assurance of risk mitigation or operational process activities is necessary 

The risks associated with allowing an onsite cover the spectrum. From exposing your workforce to a potential contagion to permitting a threat actor access to sensitive locations or systems to risking exposure of other clients or customer data to someone not meant to see it.  In fact, many colocation and cloud datacenters no longer permit onsites for the safety and security for themselves and their customer base.

Security audit reports have exponentially improved since I began in this space. The model of, ‘complete once and share with many,’ like the CyberGRX Exchange is one of the many ways to alleviate the audit fatigue facing so many organizations and security professionals.  There was a time when a report called the SAS-70 was getting used for purposes far beyond its original design; today’s iteration, the SSAE-18 SOC2 and the Trust Services Criteria of security, confidentiality, availability, integrity and privacy covers many of the major areas of concern for security professionals.  With the continual movement away from onsite data centers and toward the cloud, auditors have faced a real challenge of getting support and buy-in on how these environments should be audited now have the Cloud Security Alliance and their Security Trust Assurance and Risk (STAR) program, designed for, “transparency, rigorous auditing and harmonization of standards.”  All of which can be reviewed remotely, with the appropriate NDAs in place.  From these starting points, I can ask better questions and have better risk-based conversations with my third parties.

Whether sitting across a table, viewing a web conference or a data repository, your third-party ecosystem should be your Trusted Partners…Trusted BUT VERIFIED!

Shane Hasert, CISSP, CISA, CRISC
Director of Assessment Operations, CyberGRX