Organizations spend a significant amount of time and money to ensure robust controls are in place to mitigate technology risk. This may be accomplished by employing competent cybersecurity personnel, enforcing a robust set of cybersecurity policies and following industry best practices and industry standards relevant to protecting the organization. However, many organizations fail to consider the complexity of the modern day technical ecosystem and the increased reliance on third-parties to support key business functions. Existing technical controls often fail to effectively address third-party risks, and for many organizations these processes are not owned by IT.
If vendor management resides in your procurement function, would you trust them to manage cybersecurity risk? For many of us, the answer is a resounding NO! Unfortunately, many organizations do not have effective processes and controls to validate the effectiveness of third-party controls and the potential impact on their environment. Many recent data breaches have resulted from a third-party control failure (e.g. misconfiguration of Amazon E3 buckets). Third-party risk management are key tenants of all industry standards such as ISO 27001, the CIS Top 20, NIST CSF and the Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500).
Ultimately, it is the responsibility of the organization to protect sensitive data, whether housed internally or with a third-party. This is why the implementation of a third-party risk management program is critical to ensure the entire technology ecosystem is adequately protected. Curious how to get started? Begin with the following five elements:
- Identify – Risk Sources – Define vendor evaluation criteria and the risk each criteria can pose to your organization.
- Define – Assessment Policy– Define risk assessment policies for vendors. A well-defined, quantitatively measurable vendor evaluation and monitoring criteria is the key to managing risk.
- Assess– Vendor Risk – Vendor risk assessment should be built into your RFQ/RFP process. Existing vendors should go through (defined) periodic reviews.
- Remediate – Issues– Work with critical vendors to ensure remediation. A partnership approach to compliance and remediation can offer more benefits to a more expensive vendor replacement.
- Maintain – Compliance – Ensure continued vendor compliance through scheduled periodic assessments.
Through these key elements an organization can ensure risks with third parties are consistently managed. Once identified and defined, risks can be assessed, and either accepted or remediated across the entire technical ecosystem. Don’t let one of your vendors be the reason you are the next publicly reported data breach!