Third Party Security Risk: Don’t Let Friends Become Gate CrashersPublished July 25, 2017 by Karen Walsh • 6 min read
Organizational growth brings the need for more vendors to enhance areas of your business lines; however, these vendors cause third party security risk. To shore up your risk profile, you need to be sure that your vendors have been appropriately risk rated and that their security policies and procedures meet your company’s requirements. However, understanding how vendors cause third party risk can be difficult, so we’re offering a webinar to help you. In addition, an article by Pricewaterhouse Cooper discusses steps to a successful risk management program. In this article, learn how to use those steps and integrate GRC automation for an effective response to third party security risk.
Assess Your Third Party Environment
Reviewing your third party security risk means understanding how your vendors manage their own risks and doing a risk assessment. There are three things to look at when reviewing your vendors. This can seem overwhelming, but what you’re really doing is making sure that your vendor aligns with your own organizational security stance.
First, you need to make sure that your third party providers train their employees in ways that you find satisfactory. Employees are the number one security risk in any environment, so make sure that your vendors approach employee training the same way you do.
Second, you want to make sure that the providers have standardized controls. Look to their security stance and verify that they scrutinize their compliance controls to the same extent that you scrutinize your own.
Third, you need to review their technology and infrastructure. You need to be sure that the vendor has an infrastructure that would provide business continuity if something were to happen. Make sure you can limit the risk caused by third party vendors.
Ultimately, your vendors are an extension of your organization, so it is in your best interest to ensure that their risk appetite aligns with your own.
Increase the efficiency and effectiveness of vendor-related risk management
Increasing efficiency in risk management often involves two things: communication and documentation. From both standpoints, automating GRC benefits your organization.
One of the first steps to an efficient and effective vendor management program is the creation of a vendor selection process. Best practices include contract and decision-making documentation, as well as the incorporation of input from the appropriate IT and business partners. To do this well, there should be a single place for all stakeholders to access the information they need.
These partners then need to determine where the vendor fits in their respective business lines. By communicating with one another, IT and department leaders can work together to see how the vendors respond to shared organizational goals. If your departments aren’t working together to create a cohesive strategy, your vendors may not meet all of your company’s needs.
In addition, all stakeholders need to be accountable for the success of vendor relationships. To create clear accountability for each relationship, your organization needs to ensure constant input from the internal stakeholders. For that to happen, a single source of truth needs to be accessible to these diverse groups.
GRC automation makes information sharing across business lines easier by breaking down departmental silos. Creating appropriate lines of communication ensures responsibility and accountability. This keeps your company safer and limits your overall third party security risk.
Develop a customized third party security risk management framework
Every organization is different. With that in mind, you need to determine your own risk tolerance. In addition, you need to articulate how you have performed your due diligence when incorporating vendors into your landscape.
Creating a framework means reviewing your third party security risk holistically. Risk management begins even before you hire a vendor. When beginning the search process, you need to develop a strategy for sourcing your vendors and developing your business.
From there, you move into the evaluation phase. As discussed above, this is the phase where your communication matters most. You have to make sure that all departments involved identify risks, assess those risk, and then perform the appropriate due diligence.
Your contracts need to discuss how risk and compliance are managed. In addition, the documentation should include performance requirements. Third party actors need to be able to respond to your company’s needs, be it daily activities or in light of business disruption. These kinds of steps need to be discussed before events occur and should be included as part of your risk evaluation.
You are responsible for the ongoing monitoring of vendors. While it may feel convenient to lay blame on a vendor whose security fails, you are just as responsible for your oversight of their protocols and security posture. This means that you have ongoing duties.
Finally, make sure that you have a termination process in place before you ever need it. As always, the motto of being prepared means being ready for the eventuality of having to end a relationship.
Develop a risk stratification protocol to highlight risks by vendor
More likely than not, you will employ multiple vendors to cover different organizational needs, and different needs lead to different risks. For example, PCI DSS compliance needs are different from SOX compliance needs. Despite some overlap, they both have their own risks, so different third party security risks come with each.
This means that you need to be able to have the appropriate risk tolerances for each vendor based on how you are incorporating them into your organization. As with any decision-making process, you have to be able to explain your reasoning.
For example, some risks may be worth accepting while others are not. When working with a third party, clearly identify what your individual vendor risks are and why you are willing to accept those. You may need to evaluate things like access control, physical and environmental control, encryption, disaster recovery procedures, employee security protocols, information security incident management, systems development and maintenance, hardware infrastructure, software infrastructure, network infrastructure, physical security, policy and risk management, and vulnerability controls.
You may feel some risks are more important than others. You may determine that for a third party with no customer data contact that encryption is less important. In contrast, for a PCI vendor, encryption is one of the most important controls. Therefore, when looking at different vendors, make sure that your tolerances match what the purpose of each vendor.
Implement and conduct ongoing risk management activities, such as vendor assessments
Third party security risk review does not stop when the contract is signed. To effectively create an appropriate risk management program, you need to engage in ongoing monitoring to ensure constant risk review.
Ongoing vendor assessments come in a variety of packages. One assessment may be a simple checklist that you require the vendor to complete. However, this relies on the vendor’s honesty and integrity. Prior to signing a contract, you should have confidence in your vendor’s ability to be upfront with you. However, any good businessperson knows that skepticism is the root of all safety.
This means that your ongoing monitoring should include documentation of audits/assessments and policies/procedures. If your vendor experiences a security event, you want to make sure that you have done everything possible to be knowledgeable about the impact the event may have on your own customers.
This is another reason that having an automated GRC tool helps organize third party security risk. As you add more vendors to your business, you will add more documentation. A GRC platform creates a single storage location with the appropriate access controls.
A GRC platform like ZenGRC offers control over your documentation by giving you access options. However, it also means that the stakeholders involved can share the information. This makes the ongoing monitoring process more efficient because you can control access to information based on each stakeholder’s role while also making it easier to share information so that everyone who needs to review it can do so.
Establish a comprehensive third party security risk management governance and reporting process
Risk management reporting means giving senior management and the Board of Directors the information they need to provide oversight. However, you will also need a tool that establishes appropriate reports for those in charge of the ongoing monitoring.
This is another area where an automated GRC tool offers efficient management of your third party security risk.
Tools like ZenGRC generate reports that meet the needs of the different stakeholders in your organization. For example, you need to find a tool that not only documents your ongoing due diligence but provides a quick way to present that document to others. You want to be able to provide reports that show outstanding and past-due assessments (or, if you’re on top of your game, that none are outstanding or past-due).
You need to be able to generate reports that provide details for those on your front lines but also offer a high-level view for those at the c-suite and Board level.
As your organization grows in complexity, spreadsheets will no longer be able to meet your needs, but a GRC platform will allow you to grow and expand.
Managing third party security risk can feel like banging your head against a wall. Join our webinar, Follow the Data: 9 Strategies to Making 3rd Party Risk Less Opaque, for tips to successful vendor management.