What is a Third Party
Third parties generally refer to external entities with whom you enter into contractual agreements to deliver products or services. These external partners may offer essential services to support your business operations or extend services to your clientele on your behalf. Examples of third parties encompass a diverse range of entities, such as internet service providers, financial institutions, software vendors, building maintenance companies, and others.
Reasons for Managing Third Party Risk
- Breach Liability – A security incident with third parties may impact your business operations. If third parties have access to your data or your customers’s data, you may be liable for handling data breaches that occurred on a third party network.
- Compliance – Many data privacy regulations require compliance wherever the data is stored, processed and utilized. A third party having access to privacy related data may be part of the scope of work you have to do to meet regulatory compliance.
- Resilience of Supply Chain – Disruptions in supply chain may be detrimental to your business. Managing third party risk is essential for a reliable supply chain.
Have a Risk Management Program
If you have a corporate information security risk management program, it can provide you a basis for managing third party risk. Managing the lifecycle for third parties is very similar in many ways to managing other information security risks. Make third party risk as part of the overall risk management program and follow a risk management lifecycle starting from risk identification, categorization, assessment, mitigation and closure.
Define Third Party Risk Management Standard and Processes
Building a third party risk management standard should be one of the first steps for CISOs. A standard provides clarity and consistency for all stakeholders and goes a long way towards achieving maturity. Following are some of the components that should be part of the standard.
- Clearly define purpose of the standard
- Define categories for third parties
- Contractual arrangement with third parties
- Onboarding and offboarding of third parties
- Perform assessments for a third party
- Frequently assessments will be performed
- Monitoring and oversight of third party risk
- Third party compliance management
- Define a list of artifacts needed from third parties and the frequency at which these are required.
- Define third party “trust levels” and minimum technical requirements for each level. This will help determine which of the third parties can be given access to network, data, and other assets based upon the trust level.
- A RACI matrix for all stakeholders
Categorize Third Parties
Some third parties carry significantly more risk than others, and need more attention for risk management. Categorization of third parties may be based upon factors such as:
- Criticality for business operations – Who is critical to your business processes such that without this third party business will cease to function.
- Access to data – Who has access to your corporate, employee or your customer data.
- Direct connectivity to network or Cloud – Who has direct connectivity into your network or to your Cloud environments with possibility of a breach on the third party environment can directly spill over into your environment.
- Type of relationships with the third party – Do you consume services, use source code or software libraries, use a third party for data processing, and so on.
Based upon these and other factors, you can define a list of categories to prioritize assessments.
Automation and Tools
Historically simple tools such as questionnaires and spreadsheets have been used for third party risk assessment. To reduce management overhead, some information for third parties can be collected and assessed with automated tools and publicly available information.