Assessing Third-Party InfoSec Risk Management
Companies across multiple industries are outsourcing many of their operations to reduce costs, increase scalability and streamline operations. Information security (InfoSec) risk management with third parties, including outsourcing, requires persistence and consistency due to the primary business risk it presents. Third-party managers need to have insights into a variety of areas of information security, including how data is stored, shared and transferred securely with partners. Questions to answer: How is data protected? What are the vulnerabilities? How is the data deposed when no longer needed? What are the global, regional and local privacy regulations that must be followed?
With so much at stake, third-party managers must be diligent in assessing their relationships with all their vendors, suppliers, service providers and contractors. According to a report by Deloitte, more than 40% of organizations do not perform enhanced due diligence on third parties.
Examine Your Approach to Third-Party Risk Management
Here are four strategies to consider when considering a third-party risk management solution.
- Focus on contractual requirements pertaining to regulations
Getting all parties on the same page when it comes to compliance is critical. Focus on asking questions about the expectations surrounding external certifications. With so many rules about data (ISO/IEC 27001, PCI DSS, SOC 1, SOC 2, GDPR, California Consumer Privacy Act, HIPAA, etc.), examine contracts to ensure that all current business needs are being addressed. However, don’t overreach in this area and press a third-party vendor to potentially risk the confidentiality of other clients in your drive to implement your information security requirements. - Conduct regular on-site audits
Every InfoSec vendor your company works with poses a potential threat in one way or another. Regular audits are the only way to protect your company. Doing so ensures that both you and the third party are meeting the requirements that were agreed upon. Be sure to include a “right-to-audit” clause to conduct ongoing assessments. - Require proof and documentation
Is your partner meeting contractual requirements and adhering to regulations? Ask them to share their certifications and audit trail documentation with you to ensure they are. It’s critical that your partners have security controls in place and that continual monitoring is happening. Much of this content may be confidential information for your third party, so on-site audits or a remote screen-sharing review may be required since you will not retain copies of this information for security reasons. - Determine the value of a third-party risk manager
Over the years, I’ve seen an increase in companies that hire third parties to perform InfoSec risk assessments of their vendors and suppliers on their behalf. Hiring a neutral company may be unnecessary if your vendors and suppliers are already required to conduct audits and adhere to specific certifications. It’s worth noting that the certification processes for industry audits and certifications (such as ISO, PCI, SOC and HIPAA) are rigorous, and therefore additional third-party audits may be redundant and unnecessary if they are asking the same questions that a qualified auditor has already reviewed and attested as being compliant.
Protect Your Company, Partners and Customers
With so many global regulations and standards to follow—and the ongoing threat of cybersecurity breaches—it’s a challenge to continuously manage your third-party information risk. It’s important to cultivate a relationship between you and your third parties based on ‘trust, but verify.’ Being able to scale globally, adhere to global security standards and shield sensitive data from attackers is much easier when you have structures to strengthen your security practices.
