Closer relationships with third-party vendors can improve and streamline business operations. But when service providers and contractors are given access to systems containing protected information or handle sensitive data sets, such as customer records, third-party risk management is paramount.
Due diligence in third-party risk assessment is crucial because an indemnity agreement can't realistically cover an organization's strategic, operations or reputational risks. And if the activities of a business partner or service provider put your data security efforts at risk of non-compliance, it's your company that's held accountable.
Review the risks
A third-party risk assessment helps you detect identity and access management issues and locate the necessary controls to include in a contractual requirement. This review process covers risk identification, assessment, measurement and monitoring procedures. It should be completed prior to engaging the third-party vendor, not treated as a formality after the fact. Business partners or contractors with greater privileges or autonomy to access internal resources and systems merit a more in-depth review than those with limited rights. The third-party risk assessment should involve personnel from various teams, such as internal audit, procurement, compliance, legal counsel, and IT administration and security.
To speed and simplify the process of assessing tens, if not hundreds, of third-party vendors, it's best to have them complete standardized documentation. Thankfully, there's no need to develop these from scratch: The Shared Assessments Program (SAP), a paid membership organization founded in 2005 by financial institutions and accounting firms, offers numerous tools. These are available for purchase or free with membership and include documents used by companies of all sizes for consistency and cost efficiency in vetting third parties. Large service providers routinely complete these assessments, which are based on a "trust, but verify" model.
By using SAP's Standard Information Gathering (SIG) questionnaire, your organization can obtain all of the information necessary to conduct an initial assessment of a service provider's IT, privacy and data security controls. You can filter the questionnaire for service types provided by different third-party vendors. A how-to guide is available to help with this process. (There are also guides that can help service providers respond to client-issued SIG questionnaires.)
The SAP Tools are based on international, federal, and industry standards such as ISO-27001/27002, PCI DSS and HIPAA. And they are constantly updated -- cloud security, mobile devices, fourth-party risk and software security were recently added, according to the organization's website.
Of course, self-assessments need verifying: The Shared Assessments Agreed Upon Procedures (AUP) allow answers provided by a third party in the SIG questionnaire to be validated by your organization or an independent assessment firm. They also set out the risk control areas to be evaluated as part of an onsite assessment and include a report template for collecting and reporting the results.
As part of any third-party review, it's important to establish whether security has true boardroom-level support. A good indicator of how genuine a third-party vendor is about security is the quality of its privacy practices and training programs. Are employees required to participate in data privacy and security awareness training? How frequently are they required to take refresher courses? A well-rehearsed security incident response plan and annual external security assessments are other signs that security is taken seriously.
Evaluate the providers
Management should use the third-party risk assessment to evaluate the controls of a prospective service provider to protect systems and data. The assessment can also serve as a negotiating tool when discussing contractual obligations. Knowing where risk points exist means additional safeguards can be requested to ensure sensitive data is properly protected. Documentation covering the risk assessment, details of controls in place to mitigate risks and agreed-upon compliance monitoring should be signed by the board and retained as a benchmark for future audits. Always ask for proof that remediation actions that resulted from vulnerabilities identified in the security audit have been carried out.
Assign an "owner" for each vendor relationship to oversee the monitoring process and check its adherence to the data protection and security standards set out in the contract. Tools such as the Brinqa Vendor Risk Management, a risk modeling and analytics framework, and Rsam, which is Web-based GRC software, support SIG questionnaire content, making the review process more manageable. EMC's RSA Archer Vendor Management Software also automates the oversight of third-party relationships and supports NIST Open Checklist Interactive Language 2.0 (OCIL), a framework for interpreting responses to IT security checklists.
Finally, remember that assessing third-party vendors is not a onetime event. Managing third-party risk is a complex and time-consuming task, but with the right tools many aspects can be automated. Third-party risk assessment is an area of information security that needs greater focus; it reduces the chances of a data breach and improves the overall security of identity and access management on today’s interconnected systems.
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written many technical articles for SearchSecurity.com and other leading IT publications. He was formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS).