Seemingly every few months, there’s news of an organization and its subsequent data breach, resulting in its confidential data in the wrong hands. These security lapses have major consequences, ranging from regulatory scrutiny to fines, lawsuits, and consumer dissatisfaction.
While advances in cloud computing and managed services have made IT operations more agile, efficient and streamlined, those benefits have also introduced not only new vendor risks into your organization, but risks that are even closer to your most sensitive data than ever before.
There are four key trends driving the focus on third party/vendor risk management:
●Globalization: As the world gets flatter, organizations with global third-party networks are faced with a multitude of rules, policies, data, standards and regulations.
●Virtualization: Technology has dramatically changed the way organizations operate. With the advent of the cloud, virtual data centers, and hosted apps, companies are using vendors to process their critical business information, thus transferring data outside their firewalls. Recent data breaches and security incidents have highlighted the vendor risks that come with virtualization, and the need to have deeper visibility into the third-party ecosystem.
● Social Media: On one hand social media improves transparency, collaboration, and efficiency across third-party networks. On the other, it brings potential security risks and privacy concerns for business-critical information. The key is to leverage social media to gather third-party intelligence, while also identifying and mitigating the attendant risks.
● Mobility: Ubiquitous access to data across mobile devices poses multiple security risks. As data access becomes easier, and as security breaches proliferate, a strong third party/vendor risk management program is essential to ensure accountability.
This risk has become one of the biggest culprits of data breaches and has shifted the focus of IT leaders to it. Managing risk, in particular third party/vendor risk, has become an even more central concern. Who wants to work with a partner that’s careless with data? A third party’s reputation can ultimately affect your own organization’s. Outside vendors are an essential part of the technology stack however and it’s simply impossible to perform key functions without them. How do you determine whether a vendor will safeguard your data and handle it with the utmost care? This is the essence of third party/vendor risk management.
Third Party/Vendor Risk
It’s rare in 2018 for any organization to conduct all of its operations using only its own resources and personnel. For many, it takes business partners, often called “third party/vendor” partners, to get things done. Whether it’s a bank that uses vendor-managed cloud services to store and analyze its data, or a supermarket that hires an EPOS provider to process its credit card transactions, firms large and small rely on third party partners to manage tasks that frequently involve a high volume of sensitive information.
The question of trust looms large in such partnerships, particularly since an organization is often liable for its third party/vendor functions, even though they don’t directly carry them out. Third party/vendor risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted and important element of a director/officer’s fiduciary duty to the company.
The process of assessing third party vendors and conducting security assessments and questionnaires can quickly become overwhelming. There are many organizations and governing bodies, which have their own guidelines. Throw in the increasing complexity of cybersecurity issues and your security team can quickly become buried under a mountain of tasks and processes that are ineffective and don’t actually protect data, customer, partners, and other key stakeholders. Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective.
Shared Assessments Program
A well known framework to assess third party/vendor risk is the Shared Assessments Program, which is used in over 115 countries and in a variety of industry verticals: financial services, energy, government, healthcare, manufacturing, pharmaceutical, retail, telecommunications, and education. The program is the trusted source for third party/vendor risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. It follows a two-step approach to managing third party risks. Using industry-established best practices, the Shared Assessments Program follows a “trust, but verify” approach to conducting third party assessments, enabling you to fine-tune your third party risk management program according to your company’s strategy for managing risk.
Program in Depth
The Shared Assessments Program consists of three core tools that your organization can utilize to assess its third party/vendor risk.
There’s a GDPR tool kit as well (we have covered GDPR in a previous blog).
SIG (Standardized Information Gathering) questionnaire:
SIG is based on a comprehensive question library that determines how information technology and data security risks are managed across a broad spectrum of risk control areas. SIG Lite is designed to be completed by a third party vendor facilitating non-critical functions or posing less risk to the requesting organization. SIG Core is the next step up…designed to be completed by vendors supporting critical functions. The SIG Lite or SIG Core can be supplemented with additional questions from the SIG library as well or the SIG library can be used to do deep dives on targeted risk areas. These aren’t just “check the box” questions and answers. SIG is an in-depth questionnaire that gathers an incredible amount of information. The security domains covered include:
● Risk Management
● Security Policy
● Organizational Security
● Asset Management
● HR Security
● Physical and Environmental Security
● Communications and Operations Management
● Access Control
● Incident Event and Communications Management
● Business Continuity and Disaster Recovery
● Cloud Computing
● Additional Questions
For those who are intimidated by the size of SIG generally, then perhaps SIG Lite is the risk assessment framework to consider….its essentially a questionnaire covering all of the aforementioned topics, but achieves its goal with a distilled fraction of the questions in the full SIG library and significantly less than even the Core SIG library.
SCA (Standardized Control Assessment):
The SCA uses a standardized, efficient, substantiation-based protocol for on-site assessments that allows companies to evaluate their own controls, as well as those of their third-party service providers. Robust third-party risk management is achieved through a continuous re-evaluation of content and frequent updates, ensuring that the SCA remains relevant in terms of both current and emerging best practices. It defines 17 critical risk control areas listed below, procedures, and an on-site assessment reporting template, all of which enhance the efficiency of the assessment process.
● Risk assessment and treatment
● Security policy
● Organizational security
● Asset and information management
● Human resources security
● Physical and environmental security
● Operations management
● Access control
● Application security
● Incident event and communications management
● Business resiliency
● Network security
● Treatment management
● Server security
● Cloud security
VRMMM (Vendor Risk Management Maturity Model)
While the SIG and AUP are used to identify and evaluate your third party vendor’s risk, the focus of the VRMMM is to provide risk managers with a tool they can use to evaluate their vendor risk program against a comprehensive set of best practices. Essentially, it’s a scoreboard or report card to see how a vendor risk management program stacks up against standard practices.
VRMMM is updated yearly, but below is a list of the high-level components that make up the VRMMM:
● Monitor & Review
● Tools, Measurements & Analysis
● Communication and Information Sharing
● Skills and Expertise
● Vendor Risk Identification and Analysis
● Policies, Standards & Procedures
● Program Governance
Certified Third Party Risk Professional (CTPRP)
The Certified Third Party Risk Professional (CTPRP) designation is the only certification program that validates proficiencies in third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and the fundamentals of third party risk assessment, monitoring and management. Those that pass the exam will have a knowledge of third party risk principles of managing the third party lifecycle, identification of risks and rating, and the basics for risk assessments, monitoring and management.
Versatile for Internal Security Program Management
The Shared Assessments framework is the process to evaluate third party/vendor risk because it’s a thorough method to establish the security posture of your third party/vendors. There’s also another pertinent application for this framework: your own organization. The same framework that is used to establish a sense of trust between your organization and its vendors can easily be used to establish trust between your organization and its own security posture and processes. If your organization is a vendors to established businesses, adopted the Shared Assessment Framework as a governing document for your own information security program may be particularly compelling. Approaching your program with the Shared Assessments framework with this in mind, your organization can effectively kill two birds with one stone! With that noted, no animals were harmed in the drafting of this blog nor is such harm condoned.
In today’s complex, outsourced environment, it’s critical to step up third party/vendor risk management initiatives to protect both reputation and revenue. Gain a clear view of the third party/vendor relationships and collaborations, and adopt a proactive approach to manage their associated risks. Be well-prepared to manage supply chain disruptions by proactively identifying hidden risks, and using well-defined business continuity plans. Also, establish a robust closed-loop process to continuously evaluate third parties based on Shared Assessment Program. The key is to effectively manage the third-party ecosystem in such a way as to create a culture of transparency and accountability. Lastly, if appropriate for your risk profile, contemplate adopting the Shared Assessment framework as part of your own information security program.