Reviewing Third-Party Security Controls

By James Christiansen ·

In our last blog post, we discussed how to secure your house against theft—that is, how to protect your organization against third-party risks. Luckily, you don’t have to put bars on all the windows and station guard dogs at every entrance.

An intelligent review of the relative risk of each third party can help you assign the right level of protection. This is good news, indeed, if your list of third parties is long and growing by the day.

Each third party can be mapped to one of three risk tiers, which determines the level of due diligence you perform on that third party. By due diligence we mean a review of a third-party’s security controls.

To start, each third party, regardless of its risk tier, submits a self-attest on their security controls. This is akin to a homeowner submitting a statement to their insurance company that they have a fire and alarm system installed in their home. After that, the risk tier determines the next actions to take.

Third parties in Tier 1 pose the highest level of risk to the organization. The risk can be in the form of revenue risk (e.g. strategic importance), information risk (e.g. intellectual property), operations risk (e.g. delivery of goods and services), and/or legal and regulatory risk (e.g. PII, PHI, etc.). You’ll need to perform a full, onsite validation of their security controls—including information and physical security—as well as business continuity, regulatory and industry compliance, and privacy.

There is no doubt that Tier 1 reviews are expensive in terms of money and labor, but it makes good business sense. A sound validation plan covers these questions:

•  What are the controls of most concern?
•  How can I verify they are functioning properly?
•  What kind of evidence can they produce?
•  What risk is acceptable and what is not?

Rather than going onsite, Tier 2 reviews are electronic validations of the most important security controls—including policies, user access controls, penetration tests, vulnerability management or threat management. The services being provided also determine the importance of certain security controls. If the third party is providing a hosting environment, then business continuity would be important. For an outsourced development project, make sure they secure the new software code and they are developing secure code (e.g. OWASP compliant). For secured storage, the physical controls are key.

The important concept is that the level of due diligence should match the information risk. For Tier 2 reviews most of the evidence of security controls are digital, therefore the expense of staff traveling to inspect those controls is not needed to match the level of risk.

For Tier 3, the lowest level of risk, no further due diligence is required beyond reviewing the third party’s self-attest statement to determine if they meet your requirements for security and keep them honest with the promise of a random audits.  Depending on how risk adverse your organization is will determine the thresholds for each risk tier.

Your reviews should use industry standards to measure the effectiveness of a third party’s security controls. These include:

•  ISO27001/2 Standard—12 key controls that encompass security practices
•  National Institute of Standards and Technology (NIST)
•  PCI Standard

How often these reviews are conducted depends on the risk tier of a third party. That being said, you should definitely review:

1.  During the RFP process.
2.  When the relationship risk changes, such as when you first provide a third party access to confidential data. Any change in the relationship will affect the inherent risk of that third party and, thus, requires a fresh review.
3.  When a government or industry regulation changes.
4.  When the business profile risk changes that impacts the inherent risk. Financial stress, a major lawsuit, and loss of insurance coverage are some examples that would increase the business profile risk.
5.  At least annually.

Aside from these guidelines, a security controls review should occur as often as the risk requires. At the very least, we recommend that you check in with Tier 1 and Tier 2 third parties once a month to remind them of their security obligations and ensure incident response contact information is current.

A controls review may reveal that a third party is not meeting your—or regulators’—standard of security. You have to decide if you can live with it, or provide the third party with a required list of improvements and deadlines. And, of course, follow up on those deadlines.

You will never eradicate third-party risk, but you can manage and mitigate it. The risk tiers provide a methodology of how much and when to perform due diligence. They also provide peace of mind knowing that, no matter how long your list of third parties is, you can satisfy the security requirements of regulators and protect your customers.  Doing nothing is not an option. Similar to your own security posture, it is not a question of if, but when one of your third parties will suffer a security breach. Be sure that you have completed the proper due diligence to defend your organization from the lawsuits that are sure to follow.


James Christiansen

Vice President, Information Risk Management

James Christiansen is a seasoned business leader with deep technical expertise and is recognized as a global thought leader. As the vice president of information risk management and member of the Office of the CISO, Christiansen helps CXOs make executive decisions based on the balance of risk and cost. He is responsible for developing and delivering a comprehensive suite of strategic services and solutions to help CXO executives change their security strategies through innovation.