The Challenges of Managing Third-Party Vendor Security Risk

It’s no longer enough to secure your own company’s infrastructure; you now must also evaluate the risk of third-party vendors and plan and monitor for breaches there, too. Data breaches are reported in the news all the time, and more than 60 percent of them are linked to a third-party. When you’re a business owner, that is a scary statistic.

Third-Party Vendor Security Risks

A big part of your third-party risk management (TPRM) planning should be to follow the standard practice of assessing the risk and classifying each vendor. First, make a list of each vendor and determine how integrated they are with your company, what data is exposed to them and where the potential risks lie.

Next, classify each vendor into a category based on the type of risk, whether or not multiple risk areas exist with that vendor and what actions must be taken to remediate the risk.

The following is a potential list of classifications for organizing your third-party vendors:

• Strategic risk
• Credit risk
• Geographical risk
• Industrial risk
• Reputational risk
• Operational risk
• Transactional risk
• Compliance risk

Another way to look at it is to classify vendors based on the data they manage for you or your relationship with them. It is essential to know how the data is being stored, handled and secured now and later after you are no longer their customer.

To further classify your relationship to the vendor for planning your TPRM program, consider the following types of relationships:

• Infrastructure only ­– This is a limited relationship with the vendor providing only hardware, servers, drives and storage.
• Managed applications – This type of relationship extends into maintenance and management of the data and is focused on the software side of things.
• All data – With an all data relationship, your third-party vendor is heavily (Read more...)