Building A Third-Party Risk Management Program (Part 2)
Cybersecurity Awareness – By Ron Frechette, The Cyber Coach
Last month we covered Third-Party Security Vetting. Companies are beginning to send letters to their vendors and partners requesting they complete security questionnaires, in an effort to determine the level of risk they pose in conducting business with them. While having basic security controls in place will enhance your ability to retain and win new business, the ultimate goal is to increase the security posture of your organization and reduce your own risk of cyber-attacks, malware threats, and data theft.
Do you have a Third-Party Service Provider Security policy? Having a plan to build a formal program is the first step. Writing the policy and deploying it throughout your organization is where the rubber meets the road.
Framework for a Third-Party Management Program
1. Develop the Plan – Assign a person to spearhead the project and define clear roles and responsibilities for those within your organization who will write the policy, obtain proper documentation from vendors, monitor vendor/partner performance, etc.
2. Build a Due Diligence Process – Determine which vendor/partners are audited or assessed by outside auditing firms and willing to share results.
3. Have a Reporting System – Identify reports that you should be receiving from vendors to monitor their performance on a periodic basis. (ISO, SOC, Penetration Tests, etc.)
4. Continuous Monitoring – Set up an ongoing monitoring process to make sure that the vendor continues to meet expectations. May depend on client requirements.
5. Access to Sensitive Data – Consider what types of data is accessible by your third-parties, what types of transactions they perform, etc., to determine the risk associated with each vendor.
- Termination Process – Have a formal process in place that defines exactly what you would do if you find it necessary to terminate your relationship with a vendor/partner or if the vendor terminated their relationship with your organization.
Components of a Third-Party Management Policy
Writing a Third-Party Management Policy can be a cumbersome process if starting from scratch. There are several policy template resources available on-line. Below we have provided a common policy format along with some sample verbiage to get you started.
- Overview – Third party vendors and contractors play an important role in the support of the IT infrastructure and providing information services as part of the company services to its clients. Setting limits and controls on such persons and entities helps eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to the Company.
- Purpose – The purpose of this policy is to establish the rules for selection of certain service providers and determining their access to company information, third party responsibilities, and setting expectations for third party protection of company information.
- Scope – This policy applies to all company staff responsible for the selection and integration of external persons and entities that assist in providing company services, installation of new Information resources assets, the operations and maintenance of existing Information resources, monitoring and troubleshooting of information resources.
- Policy – Prior to entering into an arrangement with Service Provider, staff shall follow due diligence in selecting such entities and will assess risk in each such third party relationship. The policy should be broken down into the following subsections:
- Issue Management and Resolution
- Enforcement – Any staff member found to have violated this policy may be subject to disciplinary action, up to and including termination.
- Distribution – This policy is to be distributed to all staff responsible for the installation of new Information resources assets, the operations and maintenance of existing Information resources, monitoring and troubleshooting of Information resources.
- Policy History – A table that shows the version, date, description and who approved the policy.
Obviously, this is sample language that would need to be customized for your organization. We highly recommend seeking legal counsel prior to deploying this program. There are several cybersecurity advisory firms that offer policy & procedure development services for companies that do not have the internal resources.
Until next month, wishing you a safe and secure journey in cyberspace!
Questions? Send me a tweet: @GoldSkyRon or email: firstname.lastname@example.org