AuditBoard Adds Ability to Assess Third-Party Risk
AuditBoard today announced the availability of a third-party risk management extension to its CrossComply platform for managing compliance requirements.
Rajiv Makhijani, senior vice president for emerging products at AuditBoard, said as organizations become more dependent on third parties, the odds there will be a data breach significantly increase. The Third-Party Risk Management extension, the company’s CrossComply platform, provides a mechanism for information security, risk management and compliance teams to collaboratively evaluate and mitigate those risks, he added.
CrossComply is an automated workflow platform through which individuals are asked to answer questions that are then used to assess risk levels. The Third-Party Risk Management extension enables organizations to now extend that automated workflows to third-party organizations.
In the wake of the COVID-19 pandemic more organizations have become dependent on a wide range of third-party services. However, each provider of those services manages data differently, so the risk levels each of them represents to an organization needs to be carefully evaluated, noted Makhijani.
In addition, organizations also need to converge the management of business and cybersecurity risk as one now essentially informs the other, he added. Today the management of business and cybersecurity risk is all too often a disjointed process that often revolves around a giant spreadsheet that is difficult to decipher, said Makhijani. There is no standard format for evaluating risks within most organizations, he noted.
Much to the bane of cybersecurity professionals, many end users today regularly copy data from one software-as-a-service (SaaS) platform to another with little regard for how secure those platforms might be. In many cases, the SaaS applications being employed have not been sanctioned by anyone, so the level of risk they represent to the organization is unknown. Cybercriminals, of course, are targeting those platforms because the amount of sensitive data they could possibly exfiltrate represents a major opportunity.
It’s not clear to what degree organizations may soon move to reduce their risk levels by consolidating the number of SaaS applications being employed. In many cases, organizations are using multiple SaaS applications that have redundant capabilities. It’s just too easy for end users to employ a SaaS application or some other type of external cloud service without express permissions. Each new platform employed, of course, only increases the odds there will be a data breach.
The one thing that is for certain is that as the number of compliance mandates increase, the chances there will be an audit involving how data is managed and secured increases. In many cases, those audits are being required by larger companies that need to comply with, for example, a data privacy mandate that requires them to attest to the level of security applied to data regardless of where it resides.
Regulators and courts are not going to allow organizations that are subject to these mandates to simply blame a third party for mishandling data. The assumption now is that organizations as the stewards of the data they collect are always accountable for how that data is accessed, not just by whom, but also for what purposes.
