Critical Areas in Evaluating Third-Party Risks Home Insights Blog Critical Areas in Evaluating Third-Party Risks February 4, 2021 The recent FireEye and SolarWinds hacks have placed third-party security back in the spotlight. As organizations continue to expand their third-party networks, the threat landscape continues to grow. This post addresses key areas organizations should evaluate when reviewing or building out third-party risk management programs. By now, you’ve likely heard about recent security attacks affecting FireEye and SolarWinds and the resulting impact on their customers. These unfortunate events have prompted many organizations to look at their third-party risk management (TPRM) programs to reevaluate their current and future exposure to similar attacks. Digital and business transformation pressures have driven many organizations to rely upon third parties to maintain or enhance their business model objectives. As companies continue to rely on third-party products and services, it’s critical that their customers have a clear understanding of how and where these services are used. There’s no questioning the value of the efficiencies and enhancements third parties bring to the table, but relying on the effectiveness of unknown information security controls represents increased risk. While TPRM review processes provide a level of confidence, they aren’t foolproof and failures can occur. And as we all know, being compliant doesn’t guarantee security. Assessments like a SOC2 report can be an indicator of program maturity; however, these activities cannot be relied upon entirely to ensure effective or authoritative due diligence. Image These include: Third-Party Risk Tiering – Not all third parties are critical to your organization's day-to-day operations, nor do they access the sensitive data that increase overall risk. For this reason, risk tiering third parties allows you to apply appropriate controls and monitoring in a more efficient and effective manner. Tiers can be based on access to sensitive data, business operations, revenue dependencies, volume or a number of other variables. Inherent Risks, including: Data AccessPII, PHI and ePHI (sensitive data) Financial Intellectual Property Administrative Access Administrative access to: Control systems Network systems Applications Service accounts Critical business functions Manufacturing Control systems Health and welfare Physical security Safety Third-party suppliers/downstream providers Locations of your critical third parties Political risks Natural disasters Supply chain disruption Contractual Agreements – TPRM can be strengthened on the contracts between your organization and the third party, including clauses regarding your right to assess the third party, security obligations the third party is responsible for, and finally your indemnification capabilities should an incident occur with a third party.Contracts should provide the organization with the right to audit the security posture of third-party service provider(s). Service level agreements (SLAs) should explicitly provide for the appropriate time to notify of incidents. Third party agreements should state accountability / ownership of security. Third-Party Risk Due Diligence – Before onboarding any third-party provider, it’s important to perform due diligence. During this process, organizations should submit security questionnaires, review security credentials (e.g. attestation and compliance, certifications) and perform deep dives into the processes that will have the greatest effect on the organization. Establish and document the process of third-party due diligence Validate if the current due diligence rigor is adequate for your critical third parties Track and verify any remediation efforts of the third party prior to onboarding Third-Party Risk Monitoring – After the third party has been onboarded, it’s important to put some form of monitoring in place. Monitoring can be as simple as an annual security questionnaire for low-risk vendors and can include full onsite security audits of your most critical vendors. It is critical to have formal processes in place to:Monitor third party suppliers Perform threat intelligence and monitor associated feeds covering critical suppliers Validate and review third-party supplier risk reports The use of third parties provides organizations with valuable tools and resources needed to run the business; however, they add surface area to your environment. Having a TPRM program in place and operating effectively is your only means of protecting your environment while enjoying the benefits of third-party suppliers. By: Craig Snyder Principal Consultant | Optiv Craig Snyder has over 25 years’ experience working with Fortune 100 companies in governance, risk and compliance management to help enterprises improve their security program posture, achieve critical compliance objectives and manage risk effectively across the enterprise. Snyder has proven capabilities to assist clients in developing security strategies to drive accelerated definition, delivery and adoption of risk-based industry best practices. At Optiv, Craig currently assists clients to achieve strategic risk management and compliance objectives facilitating opportunities to drive innovation, meet business goals and maximize business value from technology investments. By: Jonathan Prewitt Senior Manager | Optiv Jonathan Prewitt is a highly skilled risk management leader with over 18 years of experience designing, implementing, and running risk management programs for the companies and clients he serves. His background spans multiple industries including financial services and technology, biotechnology, manufacturing and technology. This industry experience has given Jonathan a unique outlook that he brings to all his clients. Prior to joining Optiv, Jonathan was an advisory manager with a Big 4 consulting firm and led the organizational risk program for a global cloud hosting provider. Share: Risk Third-Party Risk Management Related Insights Image SolarWinds/Orion Compromise SolarWinds/Orion Compromise See Details Image Addressing Third-Party Risk in Periods of (Rapid) Change September 14, 2020 Progressive Risk evaluates how rapid change affects the risk profile, and specifically TPRM. See Details Blog Image Third-Party Risk Program Assessment September 12, 2017 Learn how to build a solid foundation for your third-party risk program. See Details Download How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.