DEMAND MAXIMUM SECURITY FROM THE THIRD/FOURTH PARTIES
The purpose of conducting Security Due Diligence on Third Parties is to understand if they maintain an optimal security program and can demonstrate their strength of keeping risk at the minimum. The security posture of your Third Party is gauged by thoroughly vetting the security at the domain and control level. The following as part of Due Care gives a lot of assurance on the existing controls and the security best practices followed
Compliance with industry-recognized security frameworks
Internal policies
Effectiveness of implemented controls
Applicable regulations
Leadership commitment to support and maintain a good security posture.
A KEY output of this activity will be to
Identify the type and severity of any risk exposure or non-compliance
Potential likelihood and associated impact when these risks become real
Severity of Residual Risk, so leaders can make a risk-informed decision
Security Rating of the third party
Validation of security and privacy controls in various infosec domains
Recommendation of additional Security and privacy controls
Recommendation of necessary security and privacy legal language in the contract
Almost all Third Parties claim to have implemented the necessary controls, but if they are not effective or are not configured in the right way, the objective of the security policy is not met which defeats the purpose of security.
Creating a comprehensive set of Due Diligence questions by factoring the requirements of
- Industry-recognized security frameworks
- Local and international laws and regulations
- Security baseline standard of your organization
- Client security requirements
- 4th and 5th Third Parties
gives the flexibility to customize the type of assessment that needs to be performed. It is paramount that organizations define their own security baseline standards for each of the security domains, processes, and Standard Operating Procedures (SOPs).
Based on the Inherent risk derived in the Pre-onboarding, a customized Due Diligence approach is created with varying depth to gain assurance. Some of the key considerations in determining the variations of performing Due Diligence:
A well-defined and comprehensive process to gather security artefacts from Third Parties and validate against the response to the questionnaire ensures reduced iterations to gather data and seek clarifications. Risk Management should align with the larger process followed to manage the Enterprise Risk. Definitions of risk severity, impact and SLAs must reflect the same or on similar lines as in the Enterprise risk. Issue documentation, tracking and remediation should closely be followed up with Risk documentation, tracking and remediation which is a critical activity.
Issues are tangible observations that are captured during the Due Diligence process. These observations could translate into potential risks if they go unaddressed. Such issues need to be centrally managed and tied to a Third Party as a whole instead of the services/products offered by them. Inputs should be taken by other teams performing due diligence and documented to ensure a single view of all types of risks of Third Party. This enables the security team to interpret the precise risk exposure, non-compliance to industry standards or violations of any regulations to the management to understand the impact, should the risk be realized and take risk-informed decisions.
Maintaining a common repository to capture due diligence information enables a bird’s eye view of
- How efficiently is the information managed
- Derive statistics and trends by geography, services, industry and risks
- Generate reports and provide insights to management
- Retrieve information when needed
- Perform an audit on data accuracy and completeness
- Integrate with other reporting tools such as Power BI, Tableau etc.
Legacy Third Parties should be evaluated for their security controls while they are actively delivering services to your organization. Lack of visibility into who and how organizations data is being used violates many internal policies and regulations. Many organizations struggle to get a holistic view of their legacy Third Party inventory and the type of services delivered.
Common Challenges Faced by the Businesses
With a vast security landscape including technology, hardware, human resources, and logistics, companies run into the challenge of struggling to cover all aspects of security to the last detail. Thus, unable to perform holistic Due Diligence which may leave an organization exposed to risk. Not having a comprehensive Due Diligence process most often results in ineffective assessment of the risk. you cannot protect which you cannot see. The risk from Legacy Third Parties who have not undergone Due Diligence is often a major reason that leaves the organization exposed to risk. You can only protect what is visible. Organizations of all sizes are subject to regulations, one fine or penalty could result in substantial loss – financial, reputational, lost business opportunities, loss of client trust, drop in share price and liabilities.
What we do in the TPRM Security Due Diligence Phase
Customized Due Diligence approach in line with your organization’s security standard and diverse requirements offered by Third Party. Based on the following considerations
- Inherent risk derived in the Pre-onboarding
- Industry (IT, Healthcare, Insurance, Retail, BFSI, HR, Manufacturing, Life Science etc.)
- Type and volume of data; Technology used which may involve integration
- Applicable regulations and laws
- Prior history of security incidents or breaches; and regulatory fines (if any)
- 4th and 5th parties
Build the Due Diligence questionnaire in alignment to organization’s security baseline. Starting with the most common and generally applicable domains to cover all categories of Third Parties
- Access Control
- Asset Management
- Security Incident Response
- Human Resource Security
- Vulnerability Management
- Cryptography
- Audit and Compliance
- Security Operations Management
- Physical Security
- Business Resilience (Continuity)
- Endpoint Security
- Cloud Security
- Privacy Management
Customized security questionnaire leveraging SIG to precisely target domain areas as per industry-recognized Security Frameworks (ISO 27001, ISO 27018, ISO 27017, SOC2, NIST CSF, Cyber Essentials), Regulations (GDPR, HIPAA, FRCA, CCPA, etc.) and Standards (PCI-DSS)
Note: Best practice is to keep the overlap of controls at the minimum and is best done by creating a matrix of applicable regulations, and frameworks and identifying the overlapping controls
Implement Issue management process and apply the best practices
- Issue Register in line with the documentation
- Stakeholder engagement and remediation process
- Inventory and maintenance
- Quality control checks
Risk identification, analysis, evaluation, mitigation strategies, implementation and documentation
- Optimal ways to address defined risk response options
- Contractual security and legal language to protect your organization from unforeseen liability
- Risk acceptance process
- Inventory management and record management
- Key points to prep for internal audit
Custom reports giving optics into control gaps, risk posture and recommendations ensure easy consumption of information by the stakeholders on the
- Type of Due Diligence performed with justification
- Controls validated at the security domain level
- Gaps identified documented as Issues (Risks in cases where a Third Party is already onboarded)
- Recommendation of best practices to the internal stakeholders and to the Third Party by the security team
Consultation on the widely used enterprise tools in the industry
- Cost-benefit analysis
- Alignment to TPRM framework implemented
- Feasibility of integration with existing tools
Templates: E-mails, Reports, questionnaires, Issue and risk register, supporting documents
Customized process to perform re-assessments
Benefits of Associating with Defentrix Third Party Security Due Diligence Services
Accurate description of products, services and integration with Third Party and/or with clients
Clear understanding of security controls that are effective, ineffective and missing
Type of Risk exposure that could result in incident or breach making your organization liable
Flexible due diligence approach to save effort and time
Comprehensive reports to understand key observations, strong and weak security areas, and recommendations
Reduced Turn-Around-Time (TAT) and adherence to internal Service Level Agreements (SLAs)
Interpret Risk exposure and potential impact situations to business to carefully make decisions based on risk appetite
Gain inputs to draft applicable security clauses that need to be included in the agreement/contract
Gain insights into the industry’s standards and best practices
Worried about your Information Security and TPRM?
Contact us today for complete consulting and implementation of Information Security
Latest Resources
2024 Leadership Vision for Third Party Risk Management (TPRM)
CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today's security and risk landscape covering third-party risk. This blog sheds light on...
TPRM Awareness, upskill and cross skill
The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive security as well. Security professionals need to keep abreast with developments in Third Party Risk Management space and...
DPDP Act 2023 (India) and Third Party Risk Management (TPRM)
The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of...