There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.
The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:
Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to a degree, such as by a third-party assessor.
Location of data regulation: most providers do not disclose where their data centers are, and that becomes a challenge if your data has a regulation regarding the location of the data. Two examples are that Israeli banking data can’t be stored outside of Israel; similarly, the Federal Information Security Management Act (FISMA) requires that customer data be kept within the United States.
Disaster recovery: how do the providers handle disaster recovery from an outage to a compromise?
These 5 focus areas should be embedded into your cybersecurity assessment and be addressed in your analysis and conclusion of any assessed vendor. ========