Security Due Diligence

Know if the security posture of your Third/Fourth/Fifth Parties meet your standards. Get all your answers in advance with Defentrix’s highly professional due diligence services.

DEMAND MAXIMUM SECURITY FROM THE THIRD/FOURTH PARTIES

The purpose of conducting Security Due Diligence on Third Parties is to understand if they maintain an optimal security program and can demonstrate their strength of keeping risk at the minimum. The security posture of your Third Party is gauged by thoroughly vetting the security at the domain and control level. The following as part of Due Care gives a lot of assurance on the existing controls and the security best practices followed

Compliance with industry-recognized security frameworks

Internal policies

Effectiveness of implemented controls

Applicable regulations

Leadership commitment to support and maintain a good security posture.

A KEY output of this activity will be to

Identify the type and severity of any risk exposure or non-compliance

Potential likelihood and associated impact when these risks become real

Severity of Residual Risk, so leaders can make a risk-informed decision

Security Rating of the third party

Validation of security and privacy controls in various infosec domains

Recommendation of additional Security and privacy controls

Recommendation of necessary security and privacy legal language in the contract

Almost all Third Parties claim to have implemented the necessary controls, but if they are not effective or are not configured in the right way, the objective of the security policy is not met which defeats the purpose of security.

Creating a comprehensive set of Due Diligence questions by factoring the requirements of

  • Industry-recognized security frameworks
  • Local and international laws and regulations
  • Security baseline standard of your organization
  • Client security requirements
  • 4th  and 5th Third Parties

gives the flexibility to customize the type of assessment that needs to be performed. It is paramount that organizations define their own security baseline standards for each of the security domains, processes, and Standard Operating Procedures (SOPs).

Based on the Inherent risk derived in the Pre-onboarding, a customized Due Diligence approach is created with varying depth to gain assurance. Some of the key considerations in determining the variations of performing Due Diligence:

A well-defined and comprehensive process to gather security artefacts from Third Parties and validate against the response to the questionnaire ensures reduced iterations to gather data and seek clarifications. Risk Management should align with the larger process followed to manage the Enterprise Risk. Definitions of risk severity, impact and SLAs must reflect the same or on similar lines as in the Enterprise risk. Issue documentation, tracking and remediation should closely be followed up with Risk documentation, tracking and remediation which is a critical activity.

Issues are tangible observations that are captured during the Due Diligence process. These observations could translate into potential risks if they go unaddressed. Such issues need to be centrally managed and tied to a Third Party as a whole instead of the services/products offered by them. Inputs should be taken by other teams performing due diligence and documented to ensure a single view of all types of risks of Third Party. This enables the security team to interpret the precise risk exposure, non-compliance to industry standards or violations of any regulations to the management to understand the impact, should the risk be realized and take risk-informed decisions.

Maintaining a common repository to capture due diligence information enables a bird’s eye view of

  • How efficiently is the information managed
  • Derive statistics and trends by geography, services, industry and risks
  • Generate reports and provide insights to management
  • Retrieve information when needed
  • Perform an audit on data accuracy and completeness
  • Integrate with other reporting tools such as Power BI, Tableau etc.

Legacy Third Parties should be evaluated for their security controls while they are actively delivering services to your organization. Lack of visibility into who and how organizations data is being used violates many internal policies and regulations. Many organizations struggle to get a holistic view of their legacy Third Party inventory and the type of services delivered.

Common Challenges Faced by the Businesses

With a vast security landscape including technology, hardware, human resources, and logistics, companies run into the challenge of struggling to cover all aspects of security to the last detail. Thus, unable to perform holistic Due Diligence which may leave an organization exposed to risk. Not having a comprehensive Due Diligence process most often results in ineffective assessment of the risk. you cannot protect which you cannot see. The risk from Legacy Third Parties who have not undergone Due Diligence is often a major reason that leaves the organization exposed to risk. You can only protect what is visible. Organizations of all sizes are subject to regulations, one fine or penalty could result in substantial loss – financial, reputational, lost business opportunities, loss of client trust, drop in share price and liabilities.

What we do in the TPRM Security Due Diligence Phase

Customized Due Diligence approach in line with your organization’s security standard and diverse requirements offered by Third Party. Based on the following considerations

  • Inherent risk derived in the Pre-onboarding
  • Industry (IT, Healthcare, Insurance, Retail, BFSI, HR, Manufacturing, Life Science etc.)
  • Type and volume of data; Technology used which may involve integration
  • Applicable regulations and laws
  • Prior history of security incidents or breaches; and regulatory fines (if any)
  • 4th and 5th parties

Build the Due Diligence questionnaire in alignment to organization’s security baseline. Starting with the most common and generally applicable domains to cover all categories of Third Parties

  • Access Control
  • Asset Management
  • Security Incident Response
  • Human Resource Security
  • Vulnerability Management
  • Cryptography
  • Audit and Compliance
  • Security Operations Management
  • Physical Security
  • Business Resilience (Continuity)
  • Endpoint Security
  • Cloud Security
  • Privacy Management

Customized security questionnaire leveraging SIG to precisely target domain areas as per industry-recognized Security Frameworks (ISO 27001, ISO 27018, ISO 27017, SOC2, NIST CSF, Cyber Essentials), Regulations (GDPR, HIPAA, FRCA, CCPA, etc.) and Standards (PCI-DSS)

Note: Best practice is to keep the overlap of controls at the minimum and is best done by creating a matrix of applicable regulations, and frameworks and identifying the overlapping controls

Implement Issue management process and apply the best practices

  • Issue Register in line with the documentation
  • Stakeholder engagement and remediation process
  • Inventory and maintenance
  • Quality control checks

Risk identification, analysis, evaluation, mitigation strategies, implementation and documentation

  • Optimal ways to address defined risk response options
  • Contractual security and legal language to protect your organization from unforeseen liability
  • Risk acceptance process
  • Inventory management and record management
  • Key points to prep for internal audit

Custom reports giving optics into control gaps, risk posture and recommendations ensure easy consumption of information by the stakeholders on the

  • Type of Due Diligence performed with justification
  • Controls validated at the security domain level
  • Gaps identified documented as Issues (Risks in cases where a Third Party is already onboarded)
  • Recommendation of best practices to the internal stakeholders and to the Third Party by the security team

Consultation on the widely used enterprise tools in the industry

  • Cost-benefit analysis
  • Alignment to TPRM framework implemented
  • Feasibility of integration with existing tools

Templates: E-mails, Reports, questionnaires, Issue and risk register, supporting documents

Customized process to perform re-assessments

Benefits of Associating with Defentrix Third Party Security Due Diligence Services

Accurate description of products, services and integration with Third Party and/or with clients

Clear understanding of security controls that are effective, ineffective and missing

Type of Risk exposure that could result in incident or breach making your organization liable

Flexible due diligence approach to save effort and time

Comprehensive reports to understand key observations, strong and weak security areas, and recommendations

Reduced Turn-Around-Time (TAT) and adherence to internal Service Level Agreements (SLAs)

Interpret Risk exposure and potential impact situations to business to carefully make decisions based on risk appetite

Gain inputs to draft applicable security clauses that need to be included in the agreement/contract

Gain insights into the industry’s standards and best practices

Worried about your Information Security and TPRM?

Contact us today for complete consulting and implementation of Information Security

Latest Resources

2024 Leadership Vision for Third Party Risk Management (TPRM)

2024 Leadership Vision for Third Party Risk Management (TPRM)

CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today's security and risk landscape covering third-party risk. This blog sheds light on...

TPRM Awareness, upskill and cross skill

TPRM Awareness, upskill and cross skill

The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive security as well. Security professionals need to keep abreast with developments in Third Party Risk Management space and...

DPDP Act 2023 (India) and Third Party Risk Management (TPRM)

DPDP Act 2023 (India) and Third Party Risk Management (TPRM)

The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of...