Third Party Risk Management: Best Practices for Protecting Your Business

At this time, nearly every business outsources some aspect of their operations. But it’s becoming increasingly tricky for organizations to ensure that third-party providers remain a source of strength for their business — not a weak link.

In a 2016 survey of 170 firms conducted by Deloitte, 87% of those firms experienced an incident with a third party that disrupted their operations, and a staggering 94.3% of them had low to moderate confidence in the tools they used to manage third-party risk.

Working with a third-party vendor is inherently risky — you are trusting a business whose practices and processes you can’t control. As businesses utilize third-party vendors more often and at a larger scale, the data security and privacy risks they face have also grown.

You don’t have to look hard to find examples of third-party data breaches. In the first half of 2019, data breaches exposed 4.1 billion records, and third-party breaches account for over half of all data breaches in the US.

When you’re working with a third-party service and trusting them with company, employee or customer data, you can’t afford to take any chances. You need to make sure you are working with the most reliable, high-performing, and safe solutions out there.

So, what approaches, systems, processes and procedures could you implement to protect your business while working with third parties? In this article, we’ll share some best practices you can implement to manage third-party risk in a systematic way. We’ll also cover the changing nature of third party risk and the most common types of third party risks.

Recent changes in third party risk

Many factors contribute to the growing and changing risks businesses face when it comes to their third-party vendors. Here are the top ones:

1. Organizations are increasingly relying upon software from third-parties to run their business. For instance, many businesses use payroll, customer relationship management, and email marketing solutions that are readily available and don’t require engineering anything in-house. But this also means organizations are putting more of their data into third-party applications and creating more risk. 

2. In general, organizations have become more reliant on a network of collaborators (e.g., partners, suppliers, vendors, contractors) to get things done. Increased information sharing and collaboration have enlarged the attack surface for cyber intruders.   

3. Regulators have become more focused on how companies are managing outsourcing and third-party risk in general, and the fines for violations have, in some cases, reached hundreds of millions of dollars. Fines often come with negative publicity and damage a brand’s reputation, which can be more difficult to recover from than the monetary loss.

As a result, boards are more concerned than ever about how their organizations are handling third-party risk and consider third-party risk a top strategic risk. 

Common types of third-party risks

The risks faced when working with third parties are much the same as other business risks and they usually fall into three categories

  • Financial and Reputational: When an organization must pay fees or fines, the potential loss of income is also a result of the reputational hit that sometimes follows a data breach.
  • Legal and Regulatory: Third parties can negatively impact your organization’s compliance with legislation. For example, if you are working with a vendor or supplier who violates labor, environmental, data security, or other laws, you can also be found liable. 
  • Operational: A third party could disrupt your operations in any number of ways, whether it’s not providing the service you are paying for or through a data breach or outage that affects your data.

In some cases, these risks can overlap. A data breach, for example, is a regulatory threat, but can also disrupt your operations if you rely on their product or service to carry out a business process. A third-party data breach can also cause financial and reputational damage to your company. 

How organizations are addressing third-party risk today

Forward-thinking businesses do not evaluate third-parties on a case by case basis. Instead, they put standards, policies, and systems in place to proactively mitigate risk on a continuous basis.

At this time, many organizations have deployed vendor risk assessment questionnaires to understand what risk management processes a vendor has in place, how they approach data security, and whether they can reasonably trust them to handle consumer data properly. However, a vendor risk assessment questionnaire shouldn’t be the only part of your third-party risk assessment.

The downside of these vendor risk assessment questionnaires is that they only offer a point-in-time snapshot of your vendors’ data security measures. Additionally, they’re a self-assessment, so you can’t independently verify a vendor’s answers. 

To increase due diligence on your vendors, you may consider conducting your own audits, at least on key vendors. For instance, Microsoft has created its own Supplier Privacy & Assurance Standards to instruct their suppliers on data privacy and protection and ensure their suppliers are compliant with those requirements.

Meanwhile, Adobe has a similarly structured program for its vendors. Adobe utilizes a vendor risk assessment program called Guardrails, which includes a set of requirements to which third-party vendors that collect, store, transmit, process, or dispose of sensitive data must adhere to. The Guardrails Risk Assessment program evaluates each vendor’s compliance to Adobe’s Vendor Information Security Standard, providing a risk-based review of the vendor’s security practices and enabling Adobe managers to make fact-based decisions concerning whether or not to enter into a relationship with that vendor. 

MX, a software company that creates software for financial and fintech companies, conducts a risk assessment when initially starting a relationship with a vendor and on an annual basis to identify any issues that need to be remediated. As part of this risk assessment, the services provided by a third party are evaluated to determine the types of data that will be processed by the third party. The level of sensitivity of data determines the depth of the security review performed on the third party. Findings from each security review are discussed with and provided to the third party to remediate within an agreed-upon timeframe. 

What’s the most effective way to address third-party risk? 

When it comes to third party risk management, there isn’t a one-size-fits-all approach. What makes sense for a large organization like Microsoft or Adobe almost certainly will not sense for a three year old consumer-focused startup. However, here is a set of foundational items businesses of all types should consider:

1. Update your data map to include third-party vendors. The foundation for your third-party risk management program should include all consumer data your vendors have in a data map. A clear view of what data your vendors can access and how they are using it will help you put the right agreements in place and ask for the right compliance information from each of your vendors.

2. Have a framework and defined process for assessing third-party risk. Instead of assessing vendors on a case-by-case basis, your organization should have a third-party risk assessment framework in place before you even begin researching vendors and know exactly what you expect from potential third-party service providers.

A good place to start with this is reviewing any past application vulnerability assessments you’ve done, and seeing where those vendors had issues. You should also consult your company’s compliance policies and requirements to make sure your vendor is able to meet the standards your company has set for itself.

3. Base your program on industry standards

You can use vendor assessment programs from established enterprises (e.g., Microsoft, Adobe) as a starting point for your own vendor assessment framework. For instance, Adobe’s Vendor Assessment Program whitepaper lays out the types of security controls they assess for every third-party vendor that stores or processes company data. Below is a sample of the controls and some of these may make sense for your organization as well:  

  • Assertion of Security Practices: Review of security certification attestation reports (SOC 2 Type II, ISO 27001) and internal security policies and standards 
  • User authentication: Password policies, access control processes, and support of multi-factor authentication 
  • Logging and audit: Details about system/app/network logs and retention periods 
  • Data Center Security: Physical security controls in locations where company data is hosted
  • Vulnerability and Patch Management: Cadence of external/internal vulnerability assessments and pen tests as well as timelines for vulnerability remediations
  • End-point protection: Policies that cover end-point security 
  • Data Encryption: Encryption of data in rest and transit  

In developing a vendor assessment framework, you may also find it helpful to look at some of the industry-standard cybersecurity risk management methodologies such as: 

  • SOC 2
  • ISO 27001
  • Consensus Assessment Initiative Questionnaire 
  • NIST Risk Management Framework 2.0 
  • NIST 800-171
  • VSA Questionnaire 
  • CIS Critical Security Controls 

You can extract thousands of potential questions from these frameworks and adapt them for your own vendor assessment questionnaire. If you do decide to build your own third-party risk management framework, UpGuard provides some good best practices for implementing a program that will help you establish a high-quality framework.

You can extract thousands of potential questions from these frameworks and adapt them for your own vendor assessment questionnaire. If you do decide to build your own third-party risk management framework, UpGuard provides some good best practices for implementing a program that will help you establish a high-quality framework.

4. Develop structured vendor onboarding and offboarding processes. Just as you have an onboarding process for new employees to make them aware of your corporate policies, it is important to develop a standardized onboarding process for your vendors. In your onboarding process, you’ll want to make sure vendors understand your information security standards/policies and have agreed to adhere to those standards. 

For instance, if a vendor plan to have individuals conduct work on your behalf on their own personal devices, you’ll need to communicate your “Bring Your Own Device” restrictions on what data the vendor can and cannot store on their devices. 

5. Consider security ratings. Security ratings allow you to monitor your vendors and their vendors’ security ratings in real-time. If your organization uses many vendors, this will allow your organization to streamline the vendor assessment process, monitor for changes in security posture, and request remediation of key issues at high-risk vendors. Businesses such as BitSight do the work of evaluating vendors for you so you can ensure you’re partnering with secure, high-quality organizations.

6. Don’t wait until your framework is perfect to start using it. When it comes to risk management and compliance, implementing something is better than nothing. It’s common for compliance and data security programs to need updates, tweaks, additions, and adjustments as you find processes that aren’t working, encounter new risks, or become subject to new privacy requirements. So don’t wait until your vendor security framework is perfect – deploy it now and commit to consistent review and improvement.

The Future of Third Party Risk Management

In the next few years, we can expect more organizations to take a Microsoft-type approach and develop their own standards and audit programs for their suppliers and vendors. These assessments require a significant amount of work, but they offer better security and mitigate risk more efficiently than a questionnaire or informal discussion. 

If you’re selling a software application or processing sensitive client data, you need to be prepared to respond to these types of assessments. You may need to complete a vendor questionnaire, produce evidence of compliance like a SOC 2 or an ISO 27001 certifications, or complete a more in-depth assessment of your data security and privacy measures to meet your clients’ requirements.

As demand and urgency to manage third-party risk continues to grow, organizations will need to find the right tools to help them manage the complexity and keep costs in check.  

How Hyperproof can help you manage third-party risk

Hyperproof is a compliance operations application that provides a single source of truth for an organizations’ compliance program. You can use Hyperproof as the single source of truth for all vendor risk assessments, vendor security questionnaires and evidence of your internal compliance activities. Hyperproof is built to reduce administrative overhead from the entire process of collecting and managing risk and compliance information. 

Instead of using email, spreadsheets, and file storage systems (e.g., G-Drive) to store and manage risk and compliance information of your vendors, you can keep your vendor risk assessment framework and questionnaires in Hyperproof, easily map responses from each vendor to the right question/control within your vendor questionnaire, and retrieve responses easily when you’re ready to verify or re-certify each vendor.  

If you’re interested in finding a more efficient way to manage third-party risk, we’d love to talk

The post Third Party Risk Management: Best Practices for Protecting Your Business appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: