Language
.svg)
.svg)
Working with third parties is an unavoidable security risk. It’s no longer possible for a modern organization to operate without any outside service providers, consultants, or vendors. However, every third party accessing your enterprise introduces the potential for a security breach. To safely work with these necessary third parties, you must assess their risk level and implement security policies and controls to mitigate that risk as much as possible.
A TPRM assessment, or third-party risk management assessment, is a way to identify and analyze third-party risks to your organization. Let’s discuss the best practices for using a TPRM assessment to protect your enterprise from third-party risks.
Your TPRM assessment should be custom-tailored to your organization, but that doesn’t mean you need to build one entirely from scratch. Standards-setting groups like NIST (National Institute of Standards and Technology) and ISO (International Organization for Standardization) provide frameworks upon which you can base your third-party risk management assessment. For example, NIST 800-161 provides specific guidance on how to identify, assess, and mitigate third-party and supply chain risks.
Using a framework ensures you have a comprehensive TPRM assessment and mitigation strategy. Combining the guidance from multiple frameworks or standards documents will give you a more robust TPRM assessment that accounts for your organization’s unique vendor environment without any coverage gaps.
For your TPRM assessment to be most effective, you need to identify and account for every third party your organization uses. Depending on the size of your company and the level of management and IT oversight, this could be a complicated and time-consuming process, because you may have departments or individual employees working with outsiders without your knowledge.
There are a few strategies for tracking down all third-party relationships within your organization. The first and easiest method is to send questionnaires to everyone in your company inquiring about the use of third parties. You could also ask your accounts payable office to make a list of all outgoing payments to vendors, contractors, and other outside entities so you can verify the information from the employee questionnaire. Application and dependency discovery tools can also help you track down all the third-party software, applications, web services, APIs, etc., that interact with your enterprise network.
As part of this identification process, you should also document which data and resources these third parties are supposed to have access to. Then, you need to conduct a privilege audit to determine what level of access they actually have so you can spot and remediate discrepancies. The best practice (for internal and third-party users alike) is to use zero trust security policies and the principle of least privilege to restrict access to the minimum resources required for the job at hand.
Once you’ve compiled information on all your third parties, it’s time to use your chosen framework to conduct a TPRM assessment. Each TPRM assessment looks a little different, but you’ll generally want to assess risk based on criteria such as:
Once you’ve completed your TPRM risk assessment process, you need to use the results to classify each third party based on their relative risk levels. You can use any classification scheme you want, such as colors (red, yellow, green) or simply high, medium, and low risk. These classifications will help you determine how to take action in the next step.
Simply identifying risks isn’t enough — you need to mitigate them. After you classify each of your third parties, you need to decide what to do (if anything) based on the results of the TPRM assessment. Any third party with a high risk designation should be prioritized for immediate action, whether that action is reconsidering a continued relationship or implementing more robust security controls and data governance policies. Medium-risk parties may need corrective actions at some point, and low risks require additional monitoring to ensure issues don’t develop later.
One of the biggest barriers to conducting TPRM assessments and implementing risk management policies is the time and effort involved. Developing an assessment process, identifying third parties, analyzing risk, and mitigating issues can take a long time and disrupt normal business activities. However, overcoming this barrier is critical to managing risk and preventing security incidents from crippling your organization. TPRM assessments should ideally be conducted regularly since your third-party risk landscape will evolve and change over time.
Automated tools can help you streamline the TPRM assessment and mitigation process to lessen the impact on your day-to-day business. In addition, TPRM automation allows you to monitor and assess third-party risk continuously. For example, you can automatically assess the risk of any new vendor, contractor, or partner before onboarding. You can also receive alerts whenever an existing vendor revises their security policies, starts working with a new fourth party, or makes any other changes that impact their risk to your organization.
While TPRM frameworks and best practices guide developing a robust third-party risk program, the best TPRM assessment will be custom-tailored to your organization’s unique environment, relationships, and business requirements.
.svg){kind=small}
.svg)
.png)
.png)
.png)
.png)
