Third-Party Risk Management (TPRM) is a key component of information security (infosec) programs and it requires significant focus. This is borne out by breaches in the news as well as known data on breaches reported to regulators.
The first post of this article defined key objectives for TPRM programs followed by a discussion of common reasons why the programs often encounter challenges in meeting the objectives. I recommend reviewing the first post if you haven’t already done so.
This second part includes a discussion of certain ideas that can help the TPRM ecosystem (comprising of customers, their third-parties and TPRM solution vendors among others) in overcoming the challenges collectively.
I use the term “ecosystem” somewhat deliberately because the challenges we face today require some changes or enhancements to be considered by each of the players. I discuss the details below.
Customers are the central and most important players in the TPRM ecosystem. After all, TPRM programs are run by customers and are meant to manage security risks caused to them by their third-parties.
As such, customers stand to benefit most from any changes to the ecosystem. They also have the ability to exert significant influence on the design, implementation and indeed the future direction of the TPRM ecosystem given their role as customers to third-parties on one hand and TPRM solution vendors on the other.
Approaches and decisions made by customers also have significant impact on the “Three Objectives” (Effectiveness, Agility/Scalability and Efficiency as discussed in the previous post) not only for themselves but also on their third-parties.
Classification matrix : Key pre-requisite for pre-assessments
Customers should develop a classification matrix based on certain factors. Minimally, these factors should include or be based on:
- Nature of services provided by third-parties;
- Business criticality of services provided by third-parties; and,
- Sensitivity levels of customer data processed by third-parties
The classification matrix will serve as the basis for pre-assessment of third-parties and therefore must be complete enough to serve the two objectives (Impact Estimation and Assessment Scoping – see below under the Pre-Assessment section for details of each) expected from the pre-assessments of third-parties. It is important for the matrix to be detailed enough and contextual to the organization and its industry in order to achieve the two objectives effectively.
Developing a sound classification matrix is foundational to achieving the objectives of a customer’s TPRM program. In the absence of such a matrix, customers might resort to classifying their third-parties into certain tiers or levels and using predetermined or templated content and approaches for assessment of third-parties in each tier. Such a templated approach is a key reason for many TPRM organizations not being able to achieve one or more of the Three Objectives.
As indicated in the Classification Matrix section above, pre-assessments are meant to accomplish two objectives:
- Impact Estimation. Information gathered from a pre-assessment should lead to as accurate an estimation as possible of the impact component of risk posed by a third-party.
- Scoping and levels of due diligence in assessments. Pre-assessment report will be used to scope the content (security/privacy controls or questions) of each third-party’s assessment (See Assessment section below). Further, the pre-assessment information will be used to determine the levels of due diligence or scrutiny a customer may want to exercise in assessment of the third-party.
Pre-assessments must use a standard template for all third-parties regardless of their size or nature. Further, the templates should be designed in such a manner that third-parties can complete the pre-assessments expeditiously.
While pre-assessments will have helped estimate the “impact“ component of third-party risk, assessments are focused on getting as accurate estimate as possible of the “likelihood” component of the risk posed by the third-party[i].
Estimating the likelihood will require the content (i.e. controls included in the assessment) to be chosen carefully and an approach that helps accomplish the “Three Objectives” for both customers and third-parties. The content must also make it conducive or easier for any follow-on remediation efforts to be conducted, again by both customers and third-parties. In this regard, we think it is important for the assessment content to conform to the following criteria:
- Well-known framework. Choose controls from well-known frameworks and cite the framework/control reference in the assessment, so the third-party knows exactly what is being asked and what their response needs to be;
- Demonstrably risk relevant. The security controls must be demonstrably relevant and effective against current and evolving threats. The organization that owns or maintains the control framework should have a process to update the security controls based on lessons learned or knowledge gained from what worked and what didn’t in actual incidents or breaches. Further, such information must be freely available for feedback and validation;
- Actionable guidance. The controls must include actionable guidance for implementation and operationalization. Further, such guidance should be freely available for reference or use by all organizations in the TPRM ecosystem – customers, third-parties, TPRM solution vendors etc.;
- Verifiable outcomes. The controls must yield specific and verifiable outcomes by way of improvements in meaningful security safeguards;
- Mapping. The controls framework should have an associated mapping of the controls to controls in other frameworks or security regulations; This will help organizations in demonstration of compliance with controls mandated by other frameworks or regulations as needed; and,
- Metrics. The controls framework must provide meaningful metrics that organizations can use to measure their performance and implement continuous and appropriate improvements in their safeguards.
Customers will want to be assured of timely remediation and ongoing maintenance of safeguards identified during assessments of third-parties. They may obtain such assurance through reinforcing the third-parties’ accountability in their contracts. We would recommend the following requirements be added in a security or data protection addendum to the contracts:
- Material Changes – Third-party must notify the customer within (say) a week of the third-party becoming aware of any material changes in their responses to the most recent pre-assessment or assessment;
- Remediation Status – Third-party must provide timely notifications to the customer regarding the status of remediation efforts they have agreed to implement in order to mitigate risks identified in the most recent assessment;
- Annual Confirmation – Third-party must confirm every 12 months that they have had no material changes that could potentially degrade the safeguards identified in the most recent assessment; Further, they should confirm that any material changes during the previous 12 months have been proactively reported throughout the 12 month period and include a list of such notifications.
Vendor Selection/Viability – TPRM Solution Vendors
As discussed in the first post of this series, the TPRM solutions market has a rather large number of vendors. Customers need to perform appropriate levels of due diligence before selecting the right vendor solution. We recommend using the Three Objectives (Effectiveness, Agility/Scalability and Efficiency) and scrutinizing how well a vendor can help in achieving the objectives, as the basis for vendor selection.
Special attention should be paid to the current capabilities as well as future viability of the vendors, as not all vendors may meet one’s expectations for the Three Objectives. One must also validate the vendors’ potential for future growth and commitment to innovation.
It would be important that the vendor solution also has a vibrant TPRM exchange with significant and increasing levels of participation by other customers and third-parties alike.
Exchanges – Network Effect
Customers should join TPRM exchanges and leverage the network effect offered by them. These exchanges are usually offered by industry Information Sharing and Analysis Centers (ISACs) or TPRM solution vendors. Participation in these exchanges can deliver significant benefits in accomplishing the Three Objectives.
Higher the number of customers of a third-party on an exchange that uses a standardized assessment framework, chances are higher that everyone benefits in terms of all Three Objectives. For example, risk mitigation pursued with a third-party by one of the customers is going to save costs associated with remediation pursuit effort for other customers.
Customers should encourage their third-parties to join the exchanges as well in the interest of them (third-parties’) accomplishing their own Three Objectives.
Third-parties are just as important as customers in the TPRM ecosystem. After all, the foremost objective of TPRM programs is to identify or detect risks at third-parties and have them mitigate those risks in a timely manner. It is important, therefore, that TPRM strategies work just as well for third-parties just as they do for customers.
We have the two specific recommendations for third-parties.
A sound security framework is critical for third-parties to achieve the Three Objectives from their perspective. We would recommend the same criteria for the framework as we suggested for the assessment content in the Customer section above. The criteria will allow third-parties to not only design, implement and maintain a sound security program but also demonstrate it to their customers effectively.
Similar to our recommendation in the previous section for customers and for the same reasons, we would recommend third-parties join one or more TPRM exchanges.
Proactive reporting of changes in a third-party’s environment or changes in security posture can go a long way in helping build trust with customers. Such reporting will also help render necessary urgency and focus on risk management internally, benefiting the third party’s internal security program.
TPRM Solution Vendors and ISACs
TPRM solution vendors and ISACs have a critical role to play in helping customers and third-parties achieve the “Three Objectives”.
While a constant innovation mindset and approach will help the vendors stand out from the crowded competition, we have two specific recommendations we think will help the customers and third-parties that are among their clients.
As highlighted previously for customers as well as third-parties, selecting a suitable and standardized security framework will deliver significant benefits in the form of achieving the “Three Objectives”. We think the ISACs can play a very important role in influencing and directing the adoption of such a framework among their member organizations – both customers and third-parties.
TPRM solution vendors should also make suitable enhancements in their solutions to help increase adoption and use of such TPRM security frameworks.
As highlighted in the previous post in this series, the disparate nature of vendor hosted TPRM exchanges limits the “network effect” potential of these exchanges. We think vendor exchanges can overcome this problem by adopting a standardized security framework (or at least develop robust mapping in controls in the case of dissimilar frameworks between two exchanges) and developing capabilities to allow for seamless sharing of assessment content between different exchanges. This will deliver significant improvements for both customers and their third-parties in achieving the Three Objectives.
[i] We use the simplistic convention – Risk = Impact x Likelihood – for the purpose of discussion in this post.