Critical Areas in Evaluating Third-Party Risks

February 4, 2021

  • The recent FireEye and SolarWinds hacks have placed third-party security back in the spotlight.
  • As organizations continue to expand their third-party networks, the threat landscape continues to grow.
  • This post addresses key areas organizations should evaluate when reviewing or building out third-party risk management programs.

 

By now, you’ve likely heard about recent security attacks affecting FireEye and SolarWinds and the resulting impact on their customers. These unfortunate events have prompted many organizations to look at their third-party risk management (TPRM) programs to reevaluate their current and future exposure to similar attacks.

 

Digital and business transformation pressures have driven many organizations to rely upon third parties to maintain or enhance their business model objectives. As companies continue to rely on third-party products and services, it’s critical that their customers have a clear understanding of how and where these services are used.

 

There’s no questioning the value of the efficiencies and enhancements third parties bring to the table, but relying on the effectiveness of unknown information security controls represents increased risk. While TPRM review processes provide a level of confidence, they aren’t foolproof and failures can occur. And as we all know, being compliant doesn’t guarantee security. Assessments like a SOC2 report can be an indicator of program maturity; however, these activities cannot be relied upon entirely to ensure effective or authoritative due diligence.

 

Image
Risk_TPRMProgram_Image-02

 

These include:

 

  • Third-Party Risk Tiering – Not all third parties are critical to your organization's day-to-day operations, nor do they access the sensitive data that increase overall risk. For this reason, risk tiering third parties allows you to apply appropriate controls and monitoring in a more efficient and effective manner. Tiers can be based on access to sensitive data, business operations, revenue dependencies, volume or a number of other variables.

  • Inherent Risks, including:
    • Data Access
      • PII, PHI and ePHI (sensitive data)
      • Financial
      • Intellectual Property

    • Administrative Access
      • Administrative access to:
        • Control systems
        • Network systems
        • Applications
        • Service accounts

    • Critical business functions
      • Manufacturing
      • Control systems
      • Health and welfare
      • Physical security
      • Safety

    • Third-party suppliers/downstream providers

    • Locations of your critical third parties
      • Political risks
      • Natural disasters
      • Supply chain disruption

  • Contractual Agreements – TPRM can be strengthened on the contracts between your organization and the third party, including clauses regarding your right to assess the third party, security obligations the third party is responsible for, and finally your indemnification capabilities should an incident occur with a third party.

    • Contracts should provide the organization with the right to audit the security posture of third-party service provider(s).
    • Service level agreements (SLAs) should explicitly provide for the appropriate time to notify of incidents.
    • Third party agreements should state accountability / ownership of security.

  • Third-Party Risk Due Diligence – Before onboarding any third-party provider, it’s important to perform due diligence. During this process, organizations should submit security questionnaires, review security credentials (e.g. attestation and compliance, certifications) and perform deep dives into the processes that will have the greatest effect on the organization.

    • Establish and document the process of third-party due diligence
    • Validate if the current due diligence rigor is adequate for your critical third parties
    • Track and verify any remediation efforts of the third party prior to onboarding

  • Third-Party Risk Monitoring – After the third party has been onboarded, it’s important to put some form of monitoring in place. Monitoring can be as simple as an annual security questionnaire for low-risk vendors and can include full onsite security audits of your most critical vendors. It is critical to have formal processes in place to:

    • Monitor third party suppliers
    • Perform threat intelligence and monitor associated feeds covering critical suppliers
    • Validate and review third-party supplier risk reports

 

The use of third parties provides organizations with valuable tools and resources needed to run the business; however, they add surface area to your environment. Having a TPRM program in place and operating effectively is your only means of protecting your environment while enjoying the benefits of third-party suppliers.

Craig Snyder
Principal Consultant | Optiv
Craig Snyder has over 25 years’ experience working with Fortune 100 companies in governance, risk and compliance management to help enterprises improve their security program posture, achieve critical compliance objectives and manage risk effectively across the enterprise. Snyder has proven capabilities to assist clients in developing security strategies to drive accelerated definition, delivery and adoption of risk-based industry best practices.

At Optiv, Craig currently assists clients to achieve strategic risk management and compliance objectives facilitating opportunities to drive innovation, meet business goals and maximize business value from technology investments.
Jonathan Prewitt
Senior Manager | Optiv
Jonathan Prewitt is a highly skilled risk management leader with over 18 years of experience designing, implementing, and running risk management programs for the companies and clients he serves. His background spans multiple industries including financial services and technology, biotechnology, manufacturing and technology. This industry experience has given Jonathan a unique outlook that he brings to all his clients.

Prior to joining Optiv, Jonathan was an advisory manager with a Big 4 consulting firm and led the organizational risk program for a global cloud hosting provider.