Third-Party Incident Management

by | May 9, 2024 | TPRM Bytes

Array
third-party-incident-management
Organizations often find themselves struggling to gain a thorough understanding of the length and breadth of an incident or breach at their third party and the type of impact on their organization. The impact can only be calculated when there is good enough data that is accurate and up to date. This applies to both, the organization that stores information about the third party and the third party itself who has suffered the incident or breach. This scenario sheds light on some important points. Time elapsed since the incident occurred, type and amount of data exposure if any, compromised assets, violation of any regulations, breach of SLA, etc.

Centralized inventory: If the incident affects a particular category of third parties, Organizations must have a robust and up-to-date inventory of all third parties allowing them to proactively plan a strategy and engage with their third parties to minimize the impact. The lack of a centralized inventory can create mayhem and be embarrassing for the organization, affecting its reputation and stock price if they are publicly traded. Inventory of the third party details, risk assessment, risks identified and mitigated, security ratings, contracts, and continuous monitoring performance.

Communication channel: Needs to be pre-determined and tested jointly with third parties to ensure timely response and resolution in the event of an incident or security breach. Communicate with the stakeholders and keep an active communication channel open.

Initial Triage: TPRM teams should create a set of questions that when answered give a holistic idea about the incident or breach. This is crucial since the top management wants specific information about the nature of the incident and its associated impact. Triaging also helps to know the type and severity of the incident, which will enable the TPRM team to coordinate with CSIRT, Business, Procurement, Legal, and Security teams

Investigation and evidence: Ensure affected assets are segregated from the network or temporarily decommissioned and analyze the impact of the incident or breach. Engage CSIRT team to coordinate with the third-party incident and forensics team to keep track of incremental updates. Request for documentation of the incident and subsequently the investigation or forensic reports.

Contractual Terms: If the incident is unique to a Third-Party, contractual obligations will ensure

  • Third-party will share Incident details and will continue to share information until the incident is contained and remediated
  • Meet SLAs on notification, response, and remediation
  • Conduct thorough investigation and share reports
  • Consult with your organization before making news public, when they are your strategic partners

If not unique and affects a category of third parties, TPRM shall frontend efforts to coordinate with the Business, Legal, Procurement, and other stakeholders for a strategic approach to reduce the overall risk. A solid inventory of third parties will help gain optics and target the right set of third parties to engage with backed by statistical data.

Lessons Learnt: To be incorporated into the TPRM strategy and the learnings can be included in the initial checklist, due diligence, and contractual process.

Related Bytes