About Blog Login Contact
Services
Training vCISO Consulting Services

 

 

5 Focus Areas - Third-Party Risk Measurements

cybersecurity risk risk management smallbusiness smb Aug 01, 2022

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

  1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
  2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to a degree, such as by a third-party assessor.
  3. Location of data regulation: most providers do not disclose where their data centers are, and that becomes a challenge if your data has a regulation regarding the location of the data. Two examples are that Israeli banking data can’t be stored outside of Israel; similarly, the Federal Information Security Management Act (FISMA) requires that customer data be kept within the United States.
  4. Privacy policies: Ensure the provider’s privacy policy aligns with your organization’s privacy policies.
  5. Disaster recovery: how do the providers handle disaster recovery from an outage to a compromise?

These 5 focus areas should be embedded into your cybersecurity assessment and be addressed in your analysis and conclusion of any assessed vendor.
========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Aug 1, 2022 

Categories

All Categories asset management compliance cybersecurity frameworks governance metrics nist nist csf risk risk management smallbusiness smb strategy tprm training
THE CYBER RISK NEWSLETTER

Want Helpful Cyber Risk Tips Every Week?

 

You're safe with me. I'll never spam you or sell your contact info.