Working with third parties is an unavoidable security risk. It’s no longer possible for a modern organization to operate without any outside service providers, consultants, or vendors. However, every third party accessing your enterprise introduces the potential for a security breach. To safely work with these necessary third parties, you must assess their risk level and implement security policies and controls to mitigate that risk as much as possible.

A TPRM assessment, or third-party risk management assessment, is a way to identify and analyze third-party risks to your organization. Let’s discuss the best practices for using a TPRM assessment to protect your enterprise from third-party risks.

TPRM Assessment Best Practices

1. Choose the Right TPRM Framework

Your TPRM assessment should be custom-tailored to your organization, but that doesn’t mean you need to build one entirely from scratch. Standards-setting groups like NIST (National Institute of Standards and Technology) and ISO (International Organization for Standardization) provide frameworks upon which you can base your third-party risk management assessment. For example, NIST 800-161 provides specific guidance on how to identify, assess, and mitigate third-party and supply chain risks.

Using a framework ensures you have a comprehensive TPRM assessment and mitigation strategy. Combining the guidance from multiple frameworks or standards documents will give you a more robust TPRM assessment that accounts for your organization’s unique vendor environment without any coverage gaps.

2. Identify All Third Parties

For your TPRM assessment to be most effective, you need to identify and account for every third party your organization uses. Depending on the size of your company and the level of management and IT oversight, this could be a complicated and time-consuming process, because you may have departments or individual employees working with outsiders without your knowledge.

There are a few strategies for tracking down all third-party relationships within your organization. The first and easiest method is to send questionnaires to everyone in your company inquiring about the use of third parties. You could also ask your accounts payable office to make a list of all outgoing payments to vendors, contractors, and other outside entities so you can verify the information from the employee questionnaire. Application and dependency discovery tools can also help you track down all the third-party software, applications, web services, APIs, etc., that interact with your enterprise network.

As part of this identification process, you should also document which data and resources these third parties are supposed to have access to. Then, you need to conduct a privilege audit to determine what level of access they actually have so you can spot and remediate discrepancies. The best practice (for internal and third-party users alike) is to use zero trust security policies and the principle of least privilege to restrict access to the minimum resources required for the job at hand.

3. Assess Third Party Risk

Once you’ve compiled information on all your third parties, it’s time to use your chosen framework to conduct a TPRM assessment. Each TPRM assessment looks a little different, but you’ll generally want to assess risk based on criteria such as:

• The level of access they need, both in terms of network privileges and physical access to your building, assets, etc. The more access they need, the riskier the relationship will be.
• The importance of the service they’re providing to your organization. Business-critical services are inherently riskier because any compromise or outage will have a larger effect on your organization.
• The reputation of the vendor, contractor, or other third party. For example, working with a well-established organization with a proven track record of success is less risky than going with an unknown startup.
• The third parties the vendor relies upon, who thus have a fourth-party relationship with your organization. Fewer dependencies on outsiders lowers the risk of working with a particular vendor.
• The type of data or resources the third-party works uses. For example, if they process financial records, personally identifiable information, or other regulated resources, they represent a greater risk than third parties who don’t work with sensitive data.

4. Classify Third Party Risk Levels

Once you’ve completed your TPRM risk assessment process, you need to use the results to classify each third party based on their relative risk levels. You can use any classification scheme you want, such as colors (red, yellow, green) or simply high, medium, and low risk. These classifications will help you determine how to take action in the next step.

5. Take Action Based on TPRM Assessment Results

Simply identifying risks isn’t enough — you need to mitigate them. After you classify each of your third parties, you need to decide what to do (if anything) based on the results of the TPRM assessment. Any third party with a high risk designation should be prioritized for immediate action, whether that action is reconsidering a continued relationship or implementing more robust security controls and data governance policies. Medium-risk parties may need corrective actions at some point, and low risks require additional monitoring to ensure issues don’t develop later.

6. Automate TPRM Processes

One of the biggest barriers to conducting TPRM assessments and implementing risk management policies is the time and effort involved. Developing an assessment process, identifying third parties, analyzing risk, and mitigating issues can take a long time and disrupt normal business activities. However, overcoming this barrier is critical to managing risk and preventing security incidents from crippling your organization. TPRM assessments should ideally be conducted regularly since your third-party risk landscape will evolve and change over time.

Automated tools can help you streamline the TPRM assessment and mitigation process to lessen the impact on your day-to-day business. In addition, TPRM automation allows you to monitor and assess third-party risk continuously. For example, you can automatically assess the risk of any new vendor, contractor, or partner before onboarding. You can also receive alerts whenever an existing vendor revises their security policies, starts working with a new fourth party, or makes any other changes that impact their risk to your organization.

TPRM Assessment Best Practices for Enterprise

While TPRM frameworks and best practices guide developing a robust third-party risk program, the best TPRM assessment will be custom-tailored to your organization’s unique environment, relationships, and business requirements.