Understanding Third-Party Risk Management (TPRM)
Third-party risk management (TPRM) is a vital part of your security program’s overall risk management program. The average organization can have hundreds or even thousands of third parties and vendors that have access to their networks or handle sensitive data on their behalf, leaving a large surface open to potential cyber-attack.
One of the most common causes of large-scale breaches is the exploitation of third parties. Vulnerabilities in vendors or suppliers are then used to gain access into the target environment to steal or otherwise compromise sensitive information.
The key objectives of a third-party risk management program are to reduce the ability of cyber attackers to move from a third-party environment into your own. An effective third-party risk management program should identify, measure, and manage risks surrounding the organizations that either have access to your systems and infrastructure, or manage sensitive or confidential information for your company.
Every organization will have slightly different processes for third-party risk management, but the primary components can be broken down into four parts:
Before you can start managing risk in your third parties, you need to understand who they are and how they integrate with your environment. Do they have direct access into your environment? Do they store sensitive information? Non-sensitive information?
As straightforward as this might sound, it can be hard gathering all the suppliers or partner organizations that are distributed across your organization, especially if this information isn’t stored in a central place.
The best place to start the identification process is in your contracts, usually with the legal department or procurement. As your organization continues to define and build the third-party risk management process, make sure to develop a process for onboarding new vendors or suppliers into your environment, and establish a place where your team can easily manage each of your vendors.
Sometimes called banding, the next step is to categorize these third-party companies based on the level of access they have to your systems or the types of data they handle on your behalf.
Breaking your third parties up into appropriate categories makes it easier to prioritize the organizations that handle sensitive data or access critical systems in your environment.
The third parties that don’t handle any data or access sensitive systems don’t have to be measured in as much depth as those that access personally identifiable information or have direct access into your system.
3. Conducting the Third-Party Risk Assessment
Once you’ve categorized the third parties you need to assess, the next step is to perform an assessment. The goal of the assessment is to measure the effectiveness of the safeguards and overall security of the organization.
Typical third-party risk assessments can involve a questionnaire, technical testing, and sometimes even an on-site assessment.
These questions usually align to a security best practice framework to determine how much the third-party being assessed complies with this framework.
Your organization might also ask for supporting documentation to support the answers given, especially for those third-parties or vendors that can access more sensitive data.
In addition to administering a questionnaire, a risk assessment might include additional testing of the third party’s technical environment to validate their technical safeguards.
This might include a vulnerability scan, penetration testing, or a combination of both.
Your security team can ask to perform these assessments yourselves, or you have the option of requesting the report or results from a recently completed technical assessment.
There may also be instances where you might visit the third party for verification of specific safeguards and overall security practices on-site.
4. Integration with Overall Risk Management
Third-party risk management is usually part of your organization’s overall security risk management program, which means that there are aspects of the overall risk management program that overlap.
After assessing your third parties, the results of these measurement activities need to be collected into a report for presentation to stakeholders.
Key decision-makers in your organization should be able to see and review the risks of both the individual vendors and supplies, as well as all risk on an aggregated basis to get an understanding of the best way to move forward.
There are typically three ways to treat or address risks identified in the third-party assessment process: accepted, reduced, or transferred.
Risk acceptance is as it sounds, which is when an organization accepts that a risk exists in a related third-party environment. Risk reduction typically involves a remediation project, as well as later following up with the third party’s environment. Risk transference is usually done with the use of a cyber insurance policy.
Once your organization decides how to handle the identified risks, both the risks and the resulting decisions should be documented in a centralized risk register.
Risks from every aspect of your organization’s risk management program should be entered into the risk register, so your organization can keep track of them and any associated remediation activities over time.
For any third parties that require remediation, it’s common for your organization to work with them to develop a remediation plan according to the timelines of both companies and their resources. Your organization should also plan on following up with third-party remediation tasks over time to ensure their execution.
An organization’s security program changes constantly over time. Your third parties should be monitored and re-assessed on a regular basis, usually annually.
Continuously monitoring your environment can also be done with specific tools or programs which we touch on in our article about automating third-party risk management.