5 Focus Areas - Third-Party Risk Measurements

cybersecurity risk risk management smallbusiness smb Aug 01, 2022

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

  1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
  2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to a degree, such as by a third-party assessor.
  3. Location of data regulation: most providers do not disclose where their data centers are, and that becomes a challenge if your data has a regulation regarding the location of the data. Two examples are that Israeli banking data can’t be stored outside of Israel; similarly, the Federal Information Security Management Act (FISMA) requires that customer data be kept within the United States.
  4. Privacy policies: Ensure the provider’s privacy policy aligns with your organization’s privacy policies.
  5. Disaster recovery: how do the providers handle disaster recovery from an outage to a compromise?

These 5 focus areas should be embedded into your cybersecurity assessment and be addressed in your analysis and conclusion of any assessed vendor.

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Aug 1, 2022 


Want Helpful Cyber Risk Tips Every Week?


You're safe with me. I'll never spam you or sell your contact info.