Third-party risk management (TPRM), also known as “vendor risk management” is the process of managing risks introduced to your business by your organization’s vendors, suppliers, contractors, and service providers. Any outside party that plays a significant part in your company’s ecosystem or supply chain is considered a third-party vendor.
For example, say you work closely with a shipping agent who has access to all your customer information. By providing that access to this shipping agent you may have streamlined your logistics, but you have also introduced potential risks stemming from this third-party relationship. (For example, the agent might accidentally leak your customer data online.) Let’s take a look at how you can best monitor and remediate this risk.
How to establish a third-party risk management program: a step-by-step guide
Third-party risk management is similar to enterprise risk management: it begins with a risk assessment, followed by risk analysis and risk response; and establishes continuous monitoring procedures as well as a remediation plan. Vendor risk management is an integral part of every information security risk management program.
Here are some points to get you started:
- Get buy-in from all departments, from senior management to the front desk staff. Focus especially on finance, HR and legal departments where the exposure is big and the cost of a data breach can be significant. Analyze and agree on a risk level that’s acceptable to everyone.
- Look closely at each link in your supply chain. Establish which ones are third-party relationships and which come with a high level of cybersecurity risk
- Establish onboarding protocols and organize contractors by level of security clearance needed. The caterer for the summer party, for example, does not need the same level of clearance as the financial institution that’s managing payroll.
- Fill out a risk profile questionnaire for each contractor who’s part of your third-party ecosystem. Keep the profiles accurate by updating them on a regular basis.
- Carefully work compliance requirements into the onboarding processes and make sure your third-party risk management program examines the third parties’ use of their own contractors, also known as “fourth parties.”
A word on compliance: Third- and fourth-parties that have regulatory compliance issues may affect your business, too. Not only will non-compliance affect your workflow, it can also result in fines and other penalties for your business.
Get to know your contractors and solidify your third-party relationships
Before onboarding a vendor or service provider, it’s important to perform your due diligence. You can start by having the vendor fill out a questionnaire that assesses the security of the vendor’s systems, networks, and processes.
When third-party risk assessment is undertaken as a collaboration with the service provider (rather than a game of gotcha) it can strengthen the relationship and also help streamline work processes.
Review your contracts carefully and make sure they assign responsibility in the event of a data breach, and require third-party contractors to comply with the same regulations and industry standards that your organization must meet. It’s also reasonable to require a third-party to tell you if they have been compromised.
Ongoing real-time monitoring is key
Effective third-party risk management requires ongoing monitoring of third-party risks, as vendor circumstances change throughout the lifecycle of the third-party relationship. Automation can be very helpful here and there are software solutions that automate these tasks, as well as keep you updated on any compliance issues that may arise along the way.
Which frameworks and regulators require third-party risk management?
A number of regulatory and compliance requirements affect third-party vendors, and may even serve as frameworks for managing vendor risk.
- The Health Insurance Portability and Accountability Act (HIPAA): Third-party risk management is specifically addressed in this federal law. Under HIPAA, electronic Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against cyber threats, hazards, and unauthorized use or disclosure. Under HIPAA, vendor contracts must contain privacy and security assurances.
- System and Organization Controls for Service Organizations 2 (SOC 2): Third-party assurance of adequate risk and security controls are increasingly required by contracting organizations in the form of SOC 2 certification.
- The Payment Card Industry Data Security Standard (PCI DSS): Third-party risk management is an important part of this industry standard. PCI DSS requires compliance from “third-party service providers,” which it defines as any vendor that stores, processes, or transmits cardholder data on behalf of a client organization, and any vendor that could affect the security of the cardholder data environment.
- The Federal Risk and Authorization Management Program (FedRAMP): Third-party assessments are included in this federal program that spells out security standards for cloud-based technology providers bidding on government contracts.
- The General Data Protection Regulation (GDPR): Third-party risk management is required under this European Union law that applies to all entities that collect, process, store, sell, or share data belonging to EU residents. It states that organizations must take necessary steps to protect citizens’ data, including information shared with third parties (known as data processors). Third parties must also protect that data and must comply with all aspects of the GDPR .
- Control Objectives for Information and Related Technologies (COBIT): Vendor risk management using COBIT 5 is spelled out in detail in the Align, Plan, and Organize (APO) domain, from identification to monitoring and measuring. Control objectives include Manage Relationships, Manage Service Agreements, and Manage Suppliers.
- The Committee of Sponsoring Organizations (COSO) internal control framework. Many organizations use COSO to mitigate third-party risk. The framework helps organizations minimize risk overall with processes and improved controls, and it addresses third-party risk throughout the document.
In addition, the U.S. Office of the Comptroller of the Currency (OCC) provides guidance for financial institutions in its Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance
Get the best risk management solution for your company.
At Reciprocity, a team of cyber security professionals is always looking out for you and your assets, making sure you get the best and most up-to-date risk management tools.
ZenGRC works in tandem with governance, risk management and ever-changing compliance demands to keep your business safe.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can help your organization, contact us for a demo.