With third-party data breaches and their subsequent financial impacts on the rise, Third-Party Risk Management is becoming a non-negotiable inclusion in an organization’s cybersecurity strategy. For those new to this risk management area, this post outlines a high-level framework for applying TPRM principles to a third-party risk context.
Learn how UpGuard streamlines Vendor Risk Management >
Scenario: Finance service relying on cloud application host to deliver its essential services
Scenario overview:
- A financial entity is dependent on Amazon Web Services to keep its suite of financial applications and products online.
- The financial entity has never had any operational disruption issues in the past.
- The financial entity stores its sensitive customer data in Amazon S3.
Learn how UpGuard helps financial services mitigate data breach risks >
Example of a TPRM approach for mitigating financial risks posed by third-party vendors
Note: The following is a high-level application of a Third-Party Risk Management program for this financial risk scenario. For a more in-depth example of how to apply TPRM to your unique third-party risk exposure context, request a free trial of UpGuard.
Step 1: List all of the potential security risk categories applicable to the third-party vendor
Before all potential risks associated with the third-party vendor are officially evaluated with a risk assessment, it’s helpful to narrow the scope of potential risk categories the vendor is exposed to. From the threat scenario, the following categories of TPRM risks should be considered in a risk analysis:
- Operational risks - The financial entity is dependent on the availbility of AWS to deliver its services to users. Should AWS become unavailable, the financial entity is at risk of breaching its SLA (service level agreement) conditions.
- Data breach risks - With the financial entity storing sensitive customer data in Amzaon S3, the risk of suffering a data breach is heightened, especially given Amazon’s history of being compromised through S3 bucket misconfigurations.
- Compliance risks - Being in the financial industry, this organization must comply with the PCI DSS regulation, an effort that could be impacted by third-party vendor cybersecurity risks.
- Supply chain attack risks - With the financial entity utilizing a third-party cloud service known to be susceptible to cyber attack exploits, the risk of a supply chain attack - a type of cyber attack in which a target is compromised through a vulnerable third-party vendor in its supply chain—is significantly heightened.
Step 2: Complete a preliminary risk profile for the third-party vendor
Next, the TPRM team should perform a high-level risk analysis for the vendor, addressing all the risk categories listed in the previous step. This effort has two objectives:
- To expedite the TPRM process by consolidating all readily accessible information across all applicable third-party risk categories.
- To create a foundation for an official third-party risk assessment that will take place in the next step.
There are three primary sources of third-party risk data sources that collectively offer the most efficient means of building a preliminary third-party risk profile for new vendors:
- Trust and security pages - A public-facing summary (usually hosted on a vendor’s website) of a vendor’s risk management framework, regulatory requirements, and their efforts of securely aligning business operations with industry standards.
- Automated scanning results - Third-party risks detected from superficial attack surface scans, a risk discovery automation feature that’s an essential component of an effective Vendor Risk Management platform.
- Completed questionnaires - Previously completed questionnaires provide a snapshot of a vendor’s baseline security posture, reducing due diligence processes and expediting onboarding workflows.
With so many potential pathways to third-party cybersecurity data sources, gathering inherent risk data to produce superficial vendor security posture profiles can quickly become convoluted and difficult to manage. To prevent this, this phase of the TPRM lifecycle, referred to as “Evidence Gathering,” is best completed with a platform streamlining the exchange of security information across third-party relationships, such as Trust Exchange by UpGuard - available to everyone for free.
Get started with Trust Exchange for free >
Step 3: Assign the third-party vendor to “critical” tier
To make the entire third-party risk management process efficient and scalable, all onboard third-party vendors should be ranked by degree of criticality based on the security posture insights gathered in the previous step. This will allow high-risk vendors - those with the greatest potential negative impact on your organization - to be readily prioritized in risk assessment efforts.
The fact that the financial entity is outsourcing sensitive data processing to this vendor should be an immediate trigger a critical classification for the vendor in a TPRM program. For more information about tiering methodologies, refer to this post explaining the vendor tiering process.
Step 4: Perform a full-risk assessment
With AWS classified as a critical third-party vendor, the financial service should evaluate it with the most comprehensive level of risk assessment – a full risk assessment. Full third-party risk assessments are typically characterized by the inclusion of security questionnaires in addition to automated risk detection methodologies, such as attack surface scans and security ratings.
Related: How to implement a vendor risk assessment process.
The following questionnaire types would map to all of the major risk categories that are relevant in this third-party risk management context:
- PCI DSS Questionnaire: The financial entity must track its regulatory compliance efforts with this standard, and the impact any vulnerabilities associated with the AWS vendor could have on maintaining full compliance.
- NIST CSF: To ensure the third-party service provider’s overall data breach risk is reduced, the financial entity could evaluate its security controls against a trusted information security standard like NIST CSF, which has been further improved with its latest update.
- Security and Privacy Program Questionnaire: Since the third-party vendor is trusted with such sensitive internal customer information, it could be helpful to perform a focused analysis of their information security and efforts – an initiative that could also support compliance with data privacy standards like the GDPR and reduce reputational risk arising from overlooked data exposures.
- Custom questionnaires: TPRM platforms offering a custom questionnaire builder allow the targeted analysis of specific risk areas. In this example, the financial entity may wish to perform a detailed analysis of all potential threats impacting business continuity and the vendor’s service level agreements, such as natural disaster events and service issue collaboration.
Custom security questionnaire builder on the UpGuard platform.
Watch this video for a more in-depth overview of the third-party risk assessment process.
Step 5: Manage all identified third-party security risks
The results from the completed risk assessment should provide a high-level framework for ongoing risk mitigation for the duration of the vendor relationship. At this point of the TPRM lifecycle, this risk mitigation framework could be shared with stakeholders who want to be involved in developing the framework into a strategic risk mitigation action plan, which would be expected if your IT ecosystem is aligned with NIST CSF 2.0.
Remediation plans should prioritize critical risks before all other types of third-party risk to maintain the lowest potential for a third-party breach to occur before all dangerous attack vectors have been addressed.
With this vendor having a history of security exploits, for enhanced data protection, the vendor’s fourth-party vendors should also be monitored as part of a fourth-party risk management strategy.
Managing remediation tasks can get very overwhelming with a vast third-party vendor network. To vendor management efficiency and scalable risk assessment processes, all remediation efforts should be managed in a TPRM solution specifically designed to streamline a high volume of remediation workflows, not spreadsheets.
To appreciate the operational benefits of upgrading from manual-based risk assessment processes, learn how UpGuard helped OVO build a scalable Vendor Risk Management program.
Step 6: Continuously monitor the critical vendor
After addressing detected third-party risks, the vendor will need to undergo continuous monitoring to track any emerging threats impacting all of its applicable risk categories. For the most ongoing monitoring strategy, point-in-time risk assessment should be combined with real-time attack surface monitoring technology, such as security ratings. This will empower security to maintain complete visibility of emerging risks, even between assessment schedules.
Continuous monitoring technology, as part of a broader Attack Surface Management program, could also extend risk detection capabilities to the offboarding phase of the vendor lifecycle, identifying third-party access points that should be removed when third-party relationships expire.
If you’re unfamiliar with the concept of Attack Surface Management, watch this video for an introductory overview: