As more organizations experience disastrous data breaches and supply chain attacks, third-party risk has emerged as a leading cause of information security breaches.
To better plan and be prepared for cybersecurity incidents, build a third-party management checklist based on recommendations and best practices for your organization.
What are Your Third-Party Risks?
For successful third-party risk management, it's important to review previous security incidents within the organization, especially in higher-risk departments such as finance and IT.
This helps you begin to build a clear plan outlining how your organization identifies and addresses third-party risk across all third parties.
Identify Risks
The first step in third-party risk management is identifying the risks associated with the third-party data usage, including confidential data like customer information, corporate financials
and intellectual property. Think about any internal information third parties can access, from business bank accounts to customer contact details and network systems.
Quantify Risks
Once the main third-party risks are identified, quantify them by organizational area. By understanding the level of inherent risk before controls are implemented, you can improve your risk management and screening process for both new and existing third
parties. With your risks firmly identified and quantified, your organization is ready to create and follow a best practices checklist for third-party risk management.
READ: How to Create an Enterprise Risk Appetite Statement
Third-Party Risk Management Checklist
1. Assess the Current Process for Third-Party Risk Management
Review the current vetting process for bringing on new third parties, as well as those risk management practices already in place. From there, you can focus resources on the most at-risk areas.
2. Document/Verify All Current Known vs. Unknown Third Parties—Vendors/Suppliers/Partners
Update your vendor lists and check old contracts to understand all the third parties you're working with or who may have access to confidential business information.
3. Evaluate New vs. Existing Vendors—Don’t Assume Anything
After developing a list of third parties across all departments, outline any gaps left by existing vendors to understand what you need in terms of new partners and suppliers. Ask questions about their current privilege levels because you may need to set
stricter boundaries on what information they can and cannot see.
4. Prioritize Third Parties in Order of Risk
Take the time to evaluate which vendors are riskier than others. Calculate the third-party risk by the probability of a data breach vs. the cost of a data breach. From there, assign a low, medium or high risk rating.
5. Review Fourth-Party Vendor Relationships
Ask third-party vendors for details on the fourth-party vendors they work with. You need to know what your vendor does with your information and who they share it with, because the risk goes up when fourth parties are involved.
6. Create Checklists/Questionnaires
Moving forward, build a detailed questionnaire for all third parties, including details on how much of your data they access to have, how they store it, and any history of compromised data or security incidents.
7. Perform Screening, Onboarding, Diligence
When partnering with new third parties, you should have a clear screening and onboarding process to confirm how much data and infrastructure access they need and how they plan to protect your private information and intellectual property.
8. Assess Organizational Roles, Responsibilities and Manpower Allocated
Whether it's a vendor, partner, contractor or supplier, all third parties should be assigned the appropriate access level—nothing more and nothing less. There's no reason to provide confidential information and security access when it's not necessary.
READ: Risk Management Roles and Responsibilities Checklist
9. Adopt Platform Automation
Use automation to streamline third-party risk management activities and ensure all outside vendors are appropriately reviewed and documented.
10. Collect Vendor Data
Take advantage of automated tools to gather vendor data for a comprehensive view of risk areas. Use what you know about the vendor and any recent data breaches to make informed decisions about the future of your partnerships.
11. Monitor Third-Party Performance Activities
Ongoing monitoring provides insights into how a third party is performing and whether the risk is worth the reward. This monitoring may inform your decision to either stay with a current vendor or partner with a new provider instead.
12. Report Standardized Metrics—Monthly, Quarterly, Yearly
Prioritize regular metrics reports to evaluate the resources used for risk assessments and how many third parties are categorized as high risk.
13. Report Metrics to Leadership
Provide details on possible risk exposure to business area leadership in your organization, so you can work together to decide how to best approach third-party relationships while effectively managing cybersecurity risks.
READ: Risk Management Terminology for InfoSec Teams
Proactively Manage Third-Party Risk
Third-party risk will continue to be a major source of data breaches and cyberattacks, so a comprehensive third-party risk management structure is key to reducing organizational risk.
When working with all third parties, it's crucial to identify and quantify risks so you better understand where any additional risks or organizational vulnerabilities lie.
As part of your best practices checklist for third-party risk management, remember to document all communications and relationships between your business and third parties.
Prioritize stronger screening and onboarding, automate where you can, and establish regular monitoring and metrics reports to promote a higher level of risk management for third parties.
The more you invest in third-party risk management by dedicating the appropriate time and resources to both existing and new third-party relationships, the better you can protect your organization from potential cybersecurity threats.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.