Organizations today are not closed off, independent entities. They are hyper-connected parts of bigger collaborative ecosystems. While these open ecosystems may feel risky or complex to manage, the greatest risk organizations face is not leveraging the opportunities they present.
Risks associated with third-party service providers can pose significant threats to your business operations, your sensitive data, and your overall cyber resilience. A strong Third Party Risk Management (TPRM) capability allows your organization to understand and manage those risks.
The European Commission recently enacted several laws and regulations to set a security baseline for outsourcing services to third parties:
As organizations increasingly rely on third-parties, understanding and managing security risks posed by those third parties is becoming increasingly complex. Some common challenges are:
We advise our clients on TPRM and can also help them to implement and operate the TPRM capability to increase cyber resilience.
Advise:
Creating a third-party questionnaire with the right number of questions
to cover the domains of information security, data privacy, and business
continuity, and get responded to by providers in a timely manner. Additionally,
setting up an approach for the TPRM assessment team to review and score the
vendor assessments, place reliance on certifications (ISO 27001, SOC-II, CSA,
PCI-DSS, & HIPAA), and track and follow-up on the progress of remediation
by the providers.
Implement:
Providing training for IT and business assessors, and testing and installing a specialized TPRM tool to speed up the response time, increase the response rate, generate customized reports with remediation plan, and track the remediation actions of the providers.
Operate:
Assessing a large number of existing third-parties (post-contract through a managed assessment service to deliver an assessment capability in compliance with relevant standards and regulations: (ISO 27001, SOC-II, CSA, PCI-DSS, and HIPAA).Reviewing vendor self-assessments to identify potential vulnerabilities within the third-party ecosystem. By evaluating the providers security controls, policies, practices, and independent audit certifications, the client obtained an overall security, data privacy, and business continuity posture by provider, and was able to segment its outsourcing portfolio by brackets. This output has allowed the client to advise a customized follow-up plan by provider, spanning from in-depth audit, penetration testing, and activation of exit strategies for the non-performers, to negotiation of a remediation strategy with the medium performers, and a regular security assessment update with the good performers.