For the purposes of this post I’m focusing on Information Security assurance. There are other considerations around areas such as finance and legal that aren’t covered.
Depending on the sectors you operate in, organisations often face compliance requirements to provide assurance. The scale and complexity of managing this program can grow exponentially with the number of third parties involved.
Your key objectives will be to ensure that the third parties you work with adhere to your required standards and within your companies tolerance for risk (be that low or high).
Setting up a program
I’ve had the opportunity to work within organisations across the spectrum from small to large enterprises. They all face a similar challenge.A typical program includes the following components:
1. Risk assessment
Determine the level of risk associated with the third party. This involves assessing the risk severity posed by the third party according to the service provided.These normally consider aspects such as type of data involved, access to systems, applicable standards and regulations (compliance).
2. Security questionnaire
This is intended to ask questions related to standard controls that your company would expect. With the increasing compliance demands the length and complexity of these can be substantial.Consider having different versions depending on the nature of the relationship as well as the risk severity posed. Bear in mind these can be time consuming for both parties to complete and review.
There are standard options readily available that may suit your needs (i.e. Sig Lite). Alternatively you may want these to be based on your own policies / standards. This is more likely to be a requirement when you are in a heavily regulated industry.
3. Questionnaire review
Following a review of the third party you’ll want to identify any compliance gaps between their current security posture and the minimum you require. Any gaps need to be assessed and suitable recommendations / mitigations raised. Based on these you will need to agree and track a security program with the third party. Enforcement of such a program is most effective when it stipulated within a contract.4. Program management
You need to maintain oversight of third-party security programs. This will enable tracking of progress in addressing the agreed actions. Actions should be within agreed time periods and suitable levels of escalation followed if the third party fails to deliver to the agreed time-frames and standard.5. Contracts
Security standards need to be legally binding. This can be effectively enforced by including security SLA and / or OLA clauses within the contract.Third party management program
Relationships between parties will evolve over time to adapt to the needs of the organisation or as a result of changing external factors. As a result, it’s necessary to perform ongoing risk assessments of the third party to ensure they maintain adherence to your required standards.Some important aspects to consider:
- Use cases and therefore risk associated with an engagement will change over time;
- Security events / incidents may occur at the third party that require special attention;
- Third parties change – events such as a company takeover, executive or senior management change can change the direction and culture of an organisation;
- Policies / standards evolve to meet changing requirements, so should third party management;
- Companies may move into and out of compliance over time as standards / capabilities rise and fall;
- You’ll want assurance / evidence of any security certifications to ensure they are still relevant / valid;
- Automate aspects of the program – utilisation of tools / platforms can really improve the efficiency of the program;
- Provide reporting / oversight of the program to the senior stakeholders.
For most organisations it won’t be practical to perform comprehensive risk assessments of all third parties. Through a risk-oriented approach make sure to cover at least the highest risk ones.
The gap in available information security staff has been widely publicised. Despite this there are options open to every organisation to resource this type of program. This typically involves a hybrid of both internal and outsourced staff and services.
Important considerations
Accountability
It’s important to remember that Information Security are advising on the level of risk posed by a third party along with recommending actions that enable a reduction in the level of risk. This covers whether the expected requirements are being met and are within the risk tolerance of the organisation.The accountability associated with the risk does not sit with Information Security. If your business decides to progress with a third party that is above an accepted risk tolerance level, then ensure the appropriate level of accountability is taken. This is typically managed through a risk acceptance process.
Certifications
You’ll want to consider how much weighting you allow for certifications. This will likely vary according to a number of factors:- Coverage – are your control requirements sufficiently well covered;
- Scope – are the services you’re using fully, partially or not covered;
- Trust - are they attested by a trusted party or self-assessed;
- Validity – is it in date and can this be affirmed by a register.
Be aware that just because a company has a professional certification it does not guarantee they are secure or even managing security effectively. Be careful to not be over reliant on them.
Classification
Organisations will have a myriad of different types of third-party providers. Consider classifying them as it may not be suitable to perform the same type / level of assessment against each.There are a number of factors to consider such as:
• What is the type and volume of the data involved;
• Are the impacted services subject to compliance requirements;
• Will the third party need access to the corporate network;
• Do the company need to attend onsite facilities.
Lifecycle
It’s important to recognise that third party assurance is an ongoing process. Risk associated with third parties’ changes over time as the service and threats evolve.Management
The volume of third parties, questions / answers, evidence and assessments makes this an administration intensive exercise.It’s also important to not underestimate how much work is involved in collaborating with stakeholders, following up with questions and requesting evidence.
A program can be managed in spreadsheets, but this often adds considerable overhead in terms of time, coordination and administration. It may prove more cost effective to utilise a third-party management tool. Within medium to large organisations your risk, legal or procurement functions may already have a suitable tool you can use.
On-boarding
Information Security are often only one of a number a teams / departments involved in the on-boarding process. For the program to be effective ensure you integrate into your organisations on-boarding lifecycle.It’s far easier to influence and help reduce risk before a contract has been signed than after!
Prioritisation
Take a risk-based approach to identify your highest priority third parties. With limited resourcing make sure you focus on your highest risks first.Reporting
There are some important aspects of the program that you need to report on:• How many active third parties you have and at what level of classification / priority;
• How many third-party assessments have been completed;
• Your backlog of third-party assessments;
• A realistic projection of what will and won’t be covered given available resourcing;
• Identification of third parties (and reference to risk acceptances) that are outside of risk tolerance;
• Identify suitable KPIs / KRIs to help track the increasing / decreasing effectiveness and risk exposure.
This is your opportunity to communicate the level of risk associated with the third-party program as well as highlight limitations based on the afforded resourcing.
Resourcing
It’s best to take a risk-based approach to determine how you prioritise your resourcing. Every organisation faces a scarcity of skilled people combined with a limited budget.Be realistic about what you can achieve with the resources available to you. Spreading your resources too thinly often leads to a reduction in their overall effectiveness.
Due to the often-high level of administration involved consider what seniority of role you need to perform each task. Consider providing the lower skilled tasks to more junior positions or potentially outsource to a third party.
Final thought
Third party programs vary in size and complexity depending on the needs of the organisation. This highlights some key areas to consider and is based on my own experience of what does / doesn’t work. Even a fairly light program will help you to manage your third-party risk more effectively.It would be great to get your thoughts on the topics covered along with any experiences that you’ve had that can help others either setting up or managing their own program.
No comments:
Post a Comment