Third-Party Risk Assessment

Sep 16, 2024

Take quiz

Vendor Management and Security

Introduction

  • Organizations work with various vendors (e.g., payroll, email marketing, travel departments).
  • Sharing data with third parties is common, necessitating risk assessments.

Risk Analysis

  • Important to perform risk analysis to understand data protection by third parties.
  • Include risk assessment in contracts to set clear expectations and penalties.

Penetration Testing

  • A common risk assessment type; similar to vulnerability scanning but focuses on exploiting vulnerabilities.
  • May be required by internal policy or contract.
  • Involves third parties specializing in penetration testing.
  • Includes a document called "rules of engagement."
    • Defines test scope, parameters, timing, and emergency contacts.
    • Specifies handling of sensitive information and in-scope devices.

Regular Audits and Right to Audit

  • Perform regular audits to ensure third-party security measures are up to date.
  • Audits can be part of compliance or best practice.
  • Audits often conducted by an independent third party.
  • Focus on security controls like access management, off-boarding, passwords, and VPN access.

Supply Chain Security

  • Involves reviewing the entire process from raw materials to final product.
  • Security concerns exist at every step of the supply chain.
  • Example: SolarWinds incident where malware was distributed through a software update.

Supply Chain Analysis

  • Evaluate product/service delivery, group coordination, and technical security between organizations.
  • Document changes and assess risks.

Independent Assessments

  • External assessments provide different perspectives and insights into security.
  • Important for understanding broader security landscapes.

Due Diligence and Conflicts of Interest

  • Investigate third-party companies before entering into business relationships.
  • Conflicts of interest can arise from shared business interests, employing relatives, or offering gifts.

Ongoing Monitoring

  • Continuous monitoring is necessary for maintaining IT security relationships.
  • Includes financial health checks, IT security reviews, and media monitoring.

Vendor Monitoring

  • Use questionnaires to gather information about vendor business processes and security measures.
  • Focus on due diligence, conflict prevention, disaster recovery, and data storage methods.

Summary

  • Vendor management involves detailed risk assessments, regular audits, and ongoing monitoring.
  • Security at both vendor and organization levels is crucial for maintaining data integrity and trust.