Have Questions About Third Party Risk Management? We Have Answers
November 12, 2020
20 min read
Third party risk management (TPRM) is a growing topic in cyber security, and for good reason.
Organizations are constantly increasing the number of vendors in their supply chain, from machinery and logistical support to software and other technological solutions in the name of improving workflows or gaining a competitive advantage.
But with more vendors and suppliers, organizations open themselves up to a larger threat surface. An attack on a single vendor can have a huge impact on organizations that work with them. This means organizations are under a constant threat of large-scale cyber risk amidst varying degrees of visibility.
Whether an organization has an existing third party risk management program and wants to improve what they have in place or needs to build one into their current risk management processes, there are often many factors to consider.
We’ve compiled several common questions around third party risk management, so you know what you need for an effective program.
What is Third Party Risk Management? How is it any different from overall risk management?
Third party risk management is the combination of policies and processes in place to assess, understand, and address different types of risks that an organization’s third parties, such as vendors, suppliers, contractors, and service providers pose to their business.
Third party risk is a subset of an organization’s overall risk management program, which should address risks across all levels and departments within an organization’s environment.
It ties into overall risk management and gives the security team a means to provide executive management with a complete understanding of the risks and threats that might impact the organization, based on any third parties that have access to sensitive information or areas of the network.
It’s important to note that this blog primarily addresses cyber security risk management for third parties, though risk management as a whole would cover other types of risk as well such as financial and reputational.
Do I need to have a Third Party Risk Management program?
If your organization works with third parties, vendors, or suppliers that handle data on your behalf or otherwise have access to your network, yes.
These third parties could be software companies that give one of your teams a tool to manage their workflows, an agency that has access to your website to assist in design and development, and anything in between.
Consider that one of the growing causes of breaches worldwide is third-party vulnerability. For the most part, organizations either don’t have visibility over all their vendors, or they only monitor a small selection of critical or top third parties.
Are there specific risk management frameworks to align with?
This depends on the industry of your organization and the nature of the data that you and your third parties might handle.
There is no single specific risk management framework that covers every single industry or geographical location, but there are frameworks commonly utilized such as SOC 2, ISO 27001, NIST Risk Management Framework 2.0, NIST 800-171. Some of these are overall security frameworks that contain elements that address third-party risk.
Each of these frameworks provides a set of standards and controls that should be implemented within a risk management program.
Whichever framework or set of frameworks your organization chooses to align with, it’s critical to understand what the controls are asking for and how they apply to your existing processes.
Effective security starts with visibility of your attack surface. There are threats you can’t see, find them now.
How often should I send assessment questionnaires to my vendors?
Conduct an assessment as soon as possible during the onboarding processes. This will give your team ample time to understand any existing risks before your third party or vendor is given access to potentially sensitive systems, networks, or data.
If there are any outstanding risks or vulnerabilities in your third party, conducting an assessment early will give both organizations the opportunity to mitigate the risk or remediate the issue before it becomes a problem.
How often you re-assess your vendors largely depends on the nature of your organization, the industry, and what your vendors do in your environment. Some organizations conduct assessments once or twice a year while others might have technology or other solutions in place to continuously monitor access and the status of their third parties on a weekly or monthly basis.
What’s the difference between a questionnaire and continuous monitoring?
A third-party risk questionnaire is a good point in time assessment of a third party’s current state. This is a good starting point to finding any existing risks or potential issues in an environment.
Continuous monitoring goes beyond an assessment at a given point in time and evaluates a third party’s environment for any changes on a regular basis. This is valuable for proactive monitoring and gives both organizations a chance to address any new risks that may not have been identified in a static assessment.
Additionally, both parties can take into consideration any new vulnerabilities, regulations, compliance activities, and resulting new policies and processes sooner rather than later.
Do I have to assess all my third parties, vendors, and suppliers?
In an ideal world, organizations would be able to regularly assess and monitor every third party and vendor that has access to their network or data.
In reality, third-party risk management can be an incredibly time-consuming and resource-heavy part of an organization’s risk management program. Large enterprises can have hundreds of thousands of vendors, and even smaller organizations can have close to hundreds of vendors to assess.
It’s more common to prioritize assessments of critical third parties. Criticality is usually based on the type of connection they have to the main organization’s environment or the type of data they handle, whether it’s PII, financial information, or health-related data.
Availability also factors into determining a critical vendor, especially for online service providers or cloud platforms and tools that may impact your operation or online presence.
Identify third parties that would have a large impact on your environment and start the assessment process with these organizations while building a roadmap that addresses vendors beyond this initial scope.
How long does it take to implement a Third-Party Risk Management Program?
It depends on what your organization already has in place and the resources that you have available. Building a third-party risk management program starts with an understanding of the organization’s goals.
These overall security and business goals should guide the overall risk strategy as well as the approach to establishing policies and processes around third-party risk. Typically, resource costs and availability will be a large determining factor in the implementation timeline of a third-party risk management program.
If time or resources are a constraining factor and building an internal team isn’t an option, organizations can turn toward outsourcing third party related tasks, whether on a strategic level or to execute specific program tasks.
Getting additional support and insight into establishing a comprehensive risk management program for third parties can be beneficial to executing strategic initiatives while maintaining day to day security program activities.