Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
Three Steps to Enhancing Your Third-Party Risk Program
In the world of third-party and vendor risk management, many new practices are being adopted. Over the past few weeks, members of Optiv’s third-party risk team have initiated conversations with key industry leaders through a series of roundtable discussions. These thought leaders own or participate in their organizations’ third-party strategies. During these sessions, we shared leading practices and principles, and identified a number of common trends.
It is clear that many organizations are looking to new practices and products while they are maturing their existing third-party risk programs that range from "aware” to “strategic.” Organizations are mapping their program decisions based on regulations, and incorporating new practices to enhance the capabilities of their programs. As a part of our blog series on third-party risk management (TPRM), we will share some best practices we are seeing organizations apply to enhance their TPRM programs.
#1 Understand Tried and Tested Leading Principles and Practices.
- Understand the Risks: Perform all necessary due diligence on third parties prior to signing a contract. Consider:
- Including appropriate questionnaires based on relevant control framework(s).
- Validating key controls by requesting evidence that backs up assertions.
- Performing a site visit to further validate controls and to observe physical security.
- Evaluate Contracts: During contract negotiation remember there are three points to every contract:
- Negotiation – Close the gaps between what you require from a vendor versus what you observed in the risk assessment phase.
- Operational – Ensure that operational and security SLAs are in place, as well as means for vendors to periodically demonstrate control efficacy.
- Exit – Incorporate terms for exiting the relationship, including reasons for exiting and mechanisms for data return and data destruction.
- Define Responsibilities: You can outsource operations but not accountability – know your responsibilities and your vendors’ responsibilities, and ensure they are all clearly defined and described in documentation and contracts.
- Ensure Business Alignment: Success comes from partnering with your business as well as with the third party. Ensure you are in alignment with operational processes, service levels, roles and responsibilities.
- Manage Your Third-Party Risk: Ensure that the third party has appropriate preventive controls, detective controls and incident response procedures including communication with its customers.
- Approach with Leading Essential Practices: Whatever your organization is required to do for the protection of critical data, delivery of critical services and incident response, ensure that third parties are required to operate to all of those standards. Where they fall short: negotiate improvements on their part, change how you work with them or find another third party.
#2 Ensure Your Third-Party Risk Program Runs In Sync With Your Overall Risk Program.
A popular mantra used over the years is Prevent, Detect and Respond. While this is a good approach, in today’s environment we can leverage a newer mantra: Predict, Prevent, Detect, Respond and Recover.
- Predict: Determine when the likelihood of a third-party breach is rising.
- Prevent: Identify the steps you can take to minimize the probability and/or impact of a third-party security breach. Understand how to prevent a third-party breach and document why repetitive security reviews/due-diligence is necessary.
- Detect: Develop a program to detect a third-party incident or breach.
- Respond: Gauge the impact of a third-party breach and how to learn how to address breach disclosure. Be sure to get guidance on who should be involved and how quickly they should be involved in the process. We recommend you develop incident response playbooks in coordination with critical third parties in advance of a breach.
- Recover: Build a recovery plan, whether through internal expertise our outsourced consulting.
#3 Maintain Your Focus When Building Your Program.
- Risk Assessment/Management: Managing the risk of third parties consists primarily of understanding and measuring each third party’s controls, relationship risk (how critical the third party is to your organization’s operations and security) and inherent risk (including the financial health of the third party as well as geopolitical risk). Next steps are risk treatment: mitigation, avoidance or transferring the risk to another party through insurance coverage.
- Contracts: Third-party relationships are governed by contracts between the two parties. It is essential to have the right conditions in the contract from day 1. For established relationships, your best approach is to introduce needed security T&C’s at contract renewal time. However, if applicable regulation requires security T&C’s that can’t wait until renewal time, you’ll have to begin a discussion with affected third parties to develop and execute out-of-band security addendums.
- Incident Response: A good incident response plan is always a best practice in organizations, but few are focused on handling a breach at a third party.
In a future article in this series, we will discuss how to use these principles across governance, operations and incident response
Director, Risk and Threat Management
James Robinson is responsible for our internal information risk management and threat management programs within information security and is a member of the Office of the CISO for Optiv. Robinson uses real world experiences to help enterprise-level organizations to solve their security and related business issues. He also develops and delivers a comprehensive suite of strategic services and solutions that help CXO executives change their security strategies through innovation.