Post on 09-Sep-2020
Understanding Third-Party Technology Risk Management
Presented by:Carly Devlin and Stephen
Chasser
Moderated by:Sara O’Banion
TODAY’S PRESENTERS
Stephen ChasserExperienced Consultant
Columbus Office
Carly DevlinManaging DirectorColumbus Office
Agenda
• Overview
• Management
• Challenges
• Solutions
• Questions
Overview of Third-Party Technology Risk
Management
Overview – What is it?
The process of analyzing, verifying, monitoring, and controlling risks presented to your organization, your data, and your operations by third-parties.
Focus on technology and/or information security controls.
Third-Party Risk Management (TPRM)
Third-Party Technology (or Information Security) Risk Management
Overview – Drivers
Data Protection
Regulatory Compliance
Business Value
Overview – Statistics
Overview – Statistics
Data breaches caused by third-parties are on the rise
56% of respondents – data breach
caused by vendor in 2017
42% of respondents – attack on third-party resulted in misuse of their
information
Overview – Statistics
The effectiveness of third-party governance programs remains low
Less than 50%of respondents
– managing third-parties is
a priority
17% of respondents –mitigation of
third-party risk is highly effective
60% of respondents –
feel unprepared to
verify third-parties
Overview – Statistics
Companies lack visibility into third-party and Nth party relationships
Average number of third-parties with access to confidential
information - 471
More than 50% of respondents – do
not keep an inventory of all
third-parties with whom they share
information
13% of respondents –
could not determine if
they’ve had a third-party data
breach
Overview – Statistics
Today’s programs are insufficient to manage third-party risks
57% of respondents – not able to determine if vendors’
safeguards and security policies are sufficient to
prevent a breach
Less than 50% of respondents – evaluate security and privacy practices of all
vendors before starting relationship that requires
sharing of confidential information
Managing Third-Party Technology Risk
Managing Third-Party Technology Risk
1. Segment 2. Scope 3. Collect
4. Assess5. Remediate6. Report
7. Monitor
Source: OCEG.org
1. Segment
Question business units about type and criticality of third-party services
Identify Third-Party
Relationships
Sort each third-party into risk-based tiers for due diligence and refresh frequently Sort Into Tiers
2. Scope
Assign relevant controls based on data and systems touched by each third-partyAssign Controls
Assess inherent risk of each relationship and criticality of service
Assess Inherent Risk
3. Collect
Obtain questionnaire responses and document artifacts as evidence for assessing the third-party’s control effectiveness
Distribute Questionnaire
Obtain publicly available data (e.g. IT threat feeds) that support the assessment of the third-party’s controls
Obtain Public Data
The SIG Questionnaire
What is it?
The Standardized Information Gathering (SIG) questionnaire gathers information to determine how security risks are managed across 18 risk control areas within a service provider’s environment.
Why is it useful?Enables a service provider to compile complete information about these risk domains in one document.
What is included?Questions regarding cybersecurity, IT, privacy, data security, and business resiliency in an IT environment.
How much does it cost? $7,000 for the SIG Bundle
4. Assess
Review collected information to confirm required controls are in place
Review Information
Evaluate control design and operational effectiveness
Evaluate Controls
Types of Assessments
Questionnaire Analysis• Analyze questionnaire responses and examine
provided evidence of controls in place• No testing of effectiveness occurs
Remote Control Validation
• Analyze questionnaire responses and examine provided evidence of controls in place
• For higher risk areas, request additional evidence that may include system screenshots, configurations, and/or reports to validate effectiveness of controls
On-site Control Validation
• Analyze questionnaire responses and examine provided evidence of controls in place
• For higher risk areas, perform on-site walkthroughs and perform observation of controls to validate effectiveness
5. Remediate
Tag ineffective controls and identify issues including those that underlie multiple control failures
Identify Findings
Prescribe necessary changes and track completion
Provide Recommendations
6. Report
Report on residual risk and remediation to support risk acceptance
Report on Residual Risk
Prepare views for board, management, and stakeholders responsible for risk acceptance
Prepare Final Reports
7. Monitor
Perform ongoing monitoring of controls, conditions, and SLAs
Ongoing Monitoring
Alert when remediation, re-segmentation, or a refreshed assessment is neededAlerting
Challenges and Solutions
Third-Party Inventory
Challenge: Relationships are initiated with third-parties all throughout the organization, and not all third-parties are centrally managed.
Solution: Inventory third-parties who have access to confidential information and ensure processes exist to alert the TPRM when all third-party relationships are initiated.
TPRM Resources
Challenge: Lack of adequate resources to manage third-party technology risk.
Solution: Augment assessment backlog and on-site assessments.
Automation of TPRM Process
Challenge: As the number of third-parties reach the hundreds, it’s not feasible for every vendor to be assessed in the same fashion.
Solution: Implement an automated risk assessment tool for assessing vendors.
Continuous Monitoring
Challenge: An annual snapshot of your vendor’s security is not enough to provide piece of mind that you’re identifying all key risks.
Solution: Implement a continuous monitoring process to ensure you’re identifying changes to the vendor’s security environment in real-time.
Key Takeaways
Key Takeaways
Use technology
Involve multiple stakeholders across organization
Define standard contract clauses
Design audience specific dashboards and reports
THANK YOU!
Stephen ChasserExperienced Consultant
Columbus Office
Carly DevlinManaging DirectorColumbus Office