3 Steps to Start your Third-Party Risk Management Program

What’s the difference between Third Party and Vendor Risk Management?

IT teams everywhere aim to protect businesses by evaluating and minimizing risk. Risks come in many forms, but one of the most common is either a third party or vendor.  Third-party refers to any organization with which your organization interacts or conducts business, while vendor refers specifically to providers of products or services.

The recent Verizon data breach report shows that “62 percent of System Intrusion incidents came through an organization’s partner. With a continuing focus on third-party integration and automation, compromising the right partner is a force multiplier for cybercriminals, and highlights the difficulties that many organizations face in securing their supply chain.”  

• [Free download: Building a Third-Party Risk Management Program]

  

  Three Steps to Start your Third-Party Risk Management Journey

• 1. Review the process of how you discuss risks for your business

Establish and review a way for you to discuss the risks to your business. If you have never reviewed risks in an organized way before, start now by running a criticality assessment so you have the information at hand for your discussion. But don’t limit this to direct assets. Understand data flows, particularly where APIs are involved. Backdoor access is a common vector of attack.   

• 2. Run a criticality assessment

Any third-party risk management journey should include a criticality assessment. This will give you the information you need in order to review each identified risk. For example, risk to an asset might be categorized as

1. Highly critical
2. Critical
3. Priority
4. Required
5. Deferrable

Where multiple assets are connected, you may want to consider applying the same criticality level to assets within that domain. 

3. Understand your appetite for risk

Understand what each level of risk means to your organization. Depending on the criticality of each risk, consider how robust a review would be needed and how frequently it should occur. Examples of those that fall under the “highly critical” category include vendors who have direct access to sensitive data or are storing sensitive data on your behalf. Assess if a vendor is mission-critical to your business operations or not. For example, a highly critical vendor may need to pass a robust security audit or you may even want to conduct your own audit directly. You may also consider setting a higher frequency for security reviews. At a minimum, conduct these reviews annually or every six months.

Remember, a non-critical third-party vendor may not require much more than a cursory review of their terms of use and security declarations since they are unlikely to be storing any of your sensitive data or impact your business operations.

Once you have run through these initial three steps with a criticality assessment and an initial review has been completed, the third party should be incorporated into your risk management framework. This will ensure that as business operations change, the impact on your business risk profile can be tracked.

Is there a third-party risk management certification?

There are certifications available for many security and risk management programs including NIST, SOC, and ISO. For example, a SOC audit is an industry-standard audit that demonstrates your commitment to data security and risk management. It follows a set format and after careful preparation, you will be audited by an approved AICPA Auditor. 

Next steps in third-party risk management?

Ostendio offers this free eBook to look at Third-Party Risk Management in more detail. If you are dealing with multiple vendors, consultants, or other parties who handle your data this eBook is an excellent resource. Ostendio experts are also happy to chat about your business needs. Schedule a meeting with an expert today.