Third-Party Risk Management

The third-party outsourcing trend will continue to grow in the coming years, which places third-party risk as a significant concern for organizations, large or small. Depending on which statistics you read, 39-63% of breaches are caused by third parties. One of the most notorious breaches is the case of Target, where the HVAC vendor’s credential was stolen, resulting in the retailer's breach of 40 million credit and debit card numbers and 70 million records of personal information stolen.

How you manage this risk vector is the inspiration of several books and articles; however, it will all start in the contract and what you were able to negotiate upfront; then a mixed methodology assessment, where you use qualitative and quantitative elements to assess the vendor based on industry-accepted standards, such as NIST CSF or ISO 27001.

I would use caution in leveraging Service Organization Control (SOC) 2 reports; these reports vary by organization and may not cover all cybersecurity controls you may be looking for.

Once the assessment is complete, work with the vendor to mitigate any findings; if not possible, enter the findings in your cybersecurity standard exception program or a vendor exception program.

It will be the responsibility of the business to accept or reject the amount of risk proposed by this third-party vendor relationship.

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Jul 26, 2022