Please enjoy this blog post authored by DeBora King, Security Risk & Compliance, Robinson Bradshaw.
Why is it a race? Because Cloud Computing, Artificial Intelligence (AI), and the Internet of Things (IoT) are accelerating at warp speed. During this race, we have an incredible task of investigating the unknown and assessing security risk levels commensurate to our firm’s risk appetite. Here’s the hard part – we must perform these tasks while juggling the compulsory for innovation and maintaining a competitive edge.
Roadmap
We’re going to need a roadmap in our race to building a better Third-Party Risk Management Program, so let’s start with frameworks. You’re in luck if your firm is ISO 27001 certified, or if you are using a self-governing framework, such as the NIST Cybersecurity or 800-53 framework. These frameworks provide a roadmap to a successful Third-Party Risk Management Program, so you won’t have to re-invent the wheel.
Clear Directions
Every good Third-Party Risk Management Program roadmap needs clear directions – let’s call these requirements. Listed here are directions to my roadmap: 1) my firm’s mission, purpose, and core values, 2) applicable regulatory requirements, 3) sector rules and standards (e.g., HIPAA), 4) client requirements, such as outside counsel guidelines, and 5) industry best practices. In addition, to stay within the guardrails of your Third-Party Risk Management program, a good Third-Party Risk Management policy and procedures is key.
All Roads Lead to Assessments
For many of us, it’s a two-way street. How many of you receive those long questionnaires from clients requesting to assess your firm? We, in turn, send similar requests to our own new and existing third-party vendors. But how do we know when to send out questionnaires? Like many answers to questions in the security arena – it depends. We must first examine the scope of work and ask the following questions: 1) Is the vendor providing a Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Compute-as-a-Service (CaaS), or Data Storage-as-a-Service (DSaaS)? 2) Is data being managed by a Cloud Service Provider (CSP)? 3) Is the vendor providing a service where a resource (whether machine or human) will have access to your firm’s classified information data (e.g., client information, employee data, source code, or intellectual property)? and 4) Will the vendor be collecting, processing, storing, maintaining, pushing, or pulling any of your firm’s classified information?
Roadmap Assistance
Automation is a great way to manage your Third-Party Risk Management Program which is best described as a control for tasks, such as continuous monitoring. As new technology is immersing, many tools and resources are available to help with enterprise-wide risk management solutions for your firm. Become active with your ILTA networks and attend ILTACON conferences to connect with peers in these efforts. We are better together!
Helpful Related Resources:
ISO 27001
ISO 27036 Information Security for Supplier Relationships Requirements
NIST Cybersecurity Framework
Artificial Intelligence Risk Management Framework
Cloud Security Alliance Cloud Controls Matrix
The NIST Definition of Cloud Computing
NIST Cybersecurity for IoT
Carnegie Mellon University - Acquisition Security Framework
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
Key Practices in Cyber Supply Chain Risk Management
Risk Management Framework for Information Systems and Organizations
Guide to Conducting Risk Assessments
Managing Information Security Risk
Gartner - IT Vendor Risk Management Solutions and Ratings
#SecurityProfessionals
#RiskManagement
#VendorRiskManagement
#100Level