Skip to main content

Three Steps to Enhancing Your Third-Party Risk Program

April 06, 2017

In the world of third-party and vendor risk management, many new practices are being adopted. Over the past few weeks, members of Optiv’s third-party risk team have initiated conversations with key industry leaders through a series of roundtable discussions. These thought leaders own or participate in their organizations’ third-party strategies. During these sessions, we shared leading practices and principles, and identified a number of common trends.

It is clear that many organizations are looking to new practices and products while they are maturing their existing third-party risk programs that range from "aware” to “strategic.” Organizations are mapping their program decisions based on regulations, and incorporating new practices to enhance the capabilities of their programs. As a part of our blog series on third-party risk management (TPRM), we will share some best practices we are seeing organizations apply to enhance their TPRM programs.

Enhancing-Third-Party-Risk-Management

#1 Understand Tried and Tested Leading Principles and Practices. 

  • Understand the Risks: Perform all necessary due diligence on third parties prior to signing a contract. Consider:
    • Including appropriate questionnaires based on relevant control framework(s).
    • Validating key controls by requesting evidence that backs up assertions.
    • Performing a site visit to further validate controls and to observe physical security.
  • Evaluate Contracts: During contract negotiation remember there are three points to every contract:
    • Negotiation – Close the gaps between what you require from a vendor versus what you observed in the risk assessment phase. 
    • Operational – Ensure that operational and security SLAs are in place, as well as means for vendors to periodically demonstrate control efficacy. 
    • Exit – Incorporate terms for exiting the relationship, including reasons for exiting and mechanisms for data return and data destruction.
  • Define Responsibilities: You can outsource operations but not accountability – know your responsibilities and your vendors’ responsibilities, and ensure they are all clearly defined and described in documentation and contracts.
  • Ensure Business Alignment: Success comes from partnering with your business as well as with the third party. Ensure you are in alignment with operational processes, service levels, roles and responsibilities. 
  • Manage Your Third-Party Risk: Ensure that the third party has appropriate preventive controls, detective controls and incident response procedures including communication with its customers.
  • Approach with Leading Essential Practices: Whatever your organization is required to do for the protection of critical data, delivery of critical services and incident response, ensure that third parties are required to operate to all of those standards. Where they fall short: negotiate improvements on their part, change how you work with them or find another third party.

#2 Ensure Your Third-Party Risk Program Runs In Sync With Your Overall Risk Program. 

A popular mantra used over the years is Prevent, Detect and Respond.  While this is a good approach, in today’s environment we can leverage a newer mantra: Predict, Prevent, Detect, Respond and Recover.  

  • Predict: Determine when the likelihood of a third-party breach is rising.
  • Prevent: Identify the steps you can take to minimize the probability and/or impact of a third-party security breach. Understand how to prevent a third-party breach and document why repetitive security reviews/due-diligence is necessary.
  • Detect: Develop a program to detect a third-party incident or breach.
  • Respond: Gauge the impact of a third-party breach and how to learn how to address breach disclosure. Be sure to get guidance on who should be involved and how quickly they should be involved in the process. We recommend you develop incident response playbooks in coordination with critical third parties in advance of a breach.
  • Recover: Build a recovery plan, whether through internal expertise our outsourced consulting.

#3 Maintain Your Focus When Building Your Program. 

  • Risk Assessment/Management: Managing the risk of third parties consists primarily of understanding and measuring each third party’s controls, relationship risk (how critical the third party is to your organization’s operations and security) and inherent risk (including the financial health of the third party as well as geopolitical risk). Next steps are risk treatment: mitigation, avoidance or transferring the risk to another party through insurance coverage.
  • Contracts: Third-party relationships are governed by contracts between the two parties. It is essential to have the right conditions in the contract from day 1. For established relationships, your best approach is to introduce needed security T&C’s at contract renewal time. However, if applicable regulation requires security T&C’s that can’t wait until renewal time, you’ll have to begin a discussion with affected third parties to develop and execute out-of-band security addendums.
  • Incident Response: A good incident response plan is always a best practice in organizations, but few are focused on handling a breach at a third party.

In a future article in this series, we will discuss how to use these principles across governance, operations and incident response


    James Robinson

By: James Robinson

Vice President, Third-Party Risk Management

See More

Related Blogs

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

June 06, 2014

How Do You Measure Third-Party Risk?

How often do thieves use the front door to commit a robbery? I don’t know from experience, but I’ve been told that most go through a window or back do...

See Details

June 04, 2014

Managing Third-Party Risk

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, t...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

September 12, 2017

Third-Party Risk Program Assessment

Learn how to build a solid foundation for your third-party risk program.

See Details

July 05, 2017

Third-Party Risk Management-as-a-Service

Learn how to plan, develop and manage your third-party risk program.

See Details

March 16, 2017

OCC Updated Guidance on Third-Party Risk

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk progra...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.