It’s no longer enough just to secure your own company’s infrastructure; you now must also evaluate the risk of third-party vendors and plan and monitor for breaches there too. Data breaches are reported in the news all the time, and more than 60% of them are linked to a third-party. When you are a business owner that is a scary statistic.
Third-Party Vendor Security Risks
A big part of your TPRM planning should be to follow the standard practice of assessing the risk and classifying each vendor. First, you make a list of each vendor and determine how integrated they are with your company, what data is exposed to them and where the potential risks lie. Next, you will classify each vendor into a category based on the type of risk, whether or not multiple risk areas exist with that vendor, and what actions must be taken to remediate the risk. The following is a potential list of classifications to organize your third-party vendors into:
- Strategic risk
- Credit risk
- Geographical risk
- Industrial risk
- Reputational risk
- Operational risk
- Transactional risk
- Compliance risk
Another way to look at it is to classify vendors based on the data they manage for you or your relationship with them. It is essential to know how the data is being stored, handled and secured now and later after you are no longer their customer. To further classify your relationship to the vendor for planning your TPRM program consider the following types of relationships:
Infrastructure only – this is a limited relationship with the vendor providing only hardware, servers, drives, and storage.
Managed applications – this type of relationship extends into maintenance and management of the data and is focused on the software side of things.
All data – with an all data relationship your third-party vendor is heavily involved with both the hardware and software aspects and may include disaster recovery and backups as well.
TPRM Process Managing – What are the Best Security Practices
Any good management program begins with planning. Once you have performed your risk audit and assessed your vendors determining their classification, it is now time to secure things.
One of the best ways to know you are protected is to automate your TPRM process. Not only will this help insulate you from extensive risk but it will also provide a standard for all new vendors that you partner with in the future. It will also help you save money as you employ new technologies, so you don’t have to do things manually. Be sure to use continuous monitoring and not point-in-time for a more accurate security assessment.
You should also use independent evaluation services for third-party risk assessments. You are too close to the vendor to gain insight and an unbiased opinion of the risk factor. By hiring an independent contractor to assess the risk, you get a more accurate picture of where you stand and how viable your security is. Often outsiders can see the bigger picture because they are not involved in the day-to-day activities.
Along with monitoring and assessing you also need a plan for onboarding new vendors. Some of the things you will want to ensure are that you profile new vendors before hiring them.
Develop a monitoring system for after they begin work. Formulate a disaster recovery plan and have them walk you through their process for remediation.
What Security Tools Are Available
When it comes to securing business data, you cannot be too careful or spend too much money. In large companies with multiple departments, the job of risk assessment of third-party vendors can be daunting. Luckily, there are tools available to automate the process to make life easier securing your business data.
Resolver is one tool available for businesses and its used by HBO to secure their data. The software offers built-in tools to assess third-party vendor risk, oversee and manage contractors, onboard new ones efficiently, and easily handle terminations. The product offers continuous monitoring and integration with your current system. They also offer a free demo.
Another similar product is Quantivate that boasts of centralized vendor data monitoring and management along with comprehensive reporting. From the consolidated dashboard, you can quickly get a glimpse of where all your third-party vendor relationships stand at any time.
A third alternative to managing and automating your third-party risk program is MyComplianceOffice. Geared towards companies in the healthcare industry that are subject to strict HIPAA laws and responsible for private patient data, this option is all about compliance and risk assessment associated with customer data. MCO also carries world-class certifications like EU/US Privacy Shield, ISO 27001 and TRUSTe.
Regardless of the tool you use, it must meet your company needs and satisfy compliance issues to keep customers and corporate data safe.