Understanding Third-Party Technology Risk Management

Presented by:Carly Devlin and Stephen

Chasser

Moderated by:Sara O’Banion

TODAY’S PRESENTERS

Stephen ChasserExperienced Consultant

Columbus Office

Carly DevlinManaging DirectorColumbus Office

Agenda

• Overview

• Management

• Challenges

• Solutions

• Questions

Overview of Third-Party Technology Risk

Management

Overview – What is it?

The process of analyzing, verifying, monitoring, and controlling risks presented to your organization, your data, and your operations by third-parties.

Focus on technology and/or information security controls.

Third-Party Risk Management (TPRM)

Third-Party Technology (or Information Security) Risk Management

Overview – Drivers

Data Protection

Regulatory Compliance

Business Value

Overview – Statistics

Overview – Statistics

Data breaches caused by third-parties are on the rise

56% of respondents – data breach

caused by vendor in 2017

42% of respondents – attack on third-party resulted in misuse of their

information

Overview – Statistics

The effectiveness of third-party governance programs remains low

Less than 50%of respondents

– managing third-parties is

a priority

17% of respondents –mitigation of

third-party risk is highly effective

60% of respondents –

feel unprepared to

verify third-parties

Overview – Statistics

Companies lack visibility into third-party and Nth party relationships

Average number of third-parties with access to confidential

information - 471

More than 50% of respondents – do

not keep an inventory of all

third-parties with whom they share

information

13% of respondents –

could not determine if

they’ve had a third-party data

breach

Overview – Statistics

Today’s programs are insufficient to manage third-party risks

57% of respondents – not able to determine if vendors’

safeguards and security policies are sufficient to

prevent a breach

Less than 50% of respondents – evaluate security and privacy practices of all

vendors before starting relationship that requires

sharing of confidential information

Managing Third-Party Technology Risk

Managing Third-Party Technology Risk

1. Segment 2. Scope 3. Collect

4. Assess5. Remediate6. Report

7. Monitor

Source: OCEG.org

1. Segment

Question business units about type and criticality of third-party services

Identify Third-Party

Relationships

Sort each third-party into risk-based tiers for due diligence and refresh frequently Sort Into Tiers

2. Scope

Assign relevant controls based on data and systems touched by each third-partyAssign Controls

Assess inherent risk of each relationship and criticality of service

Assess Inherent Risk

3. Collect

Obtain questionnaire responses and document artifacts as evidence for assessing the third-party’s control effectiveness

Distribute Questionnaire

Obtain publicly available data (e.g. IT threat feeds) that support the assessment of the third-party’s controls

Obtain Public Data

The SIG Questionnaire

What is it?

The Standardized Information Gathering (SIG) questionnaire gathers information to determine how security risks are managed across 18 risk control areas within a service provider’s environment.

Why is it useful?Enables a service provider to compile complete information about these risk domains in one document.

What is included?Questions regarding cybersecurity, IT, privacy, data security, and business resiliency in an IT environment.

How much does it cost? $7,000 for the SIG Bundle

4. Assess

Review collected information to confirm required controls are in place

Review Information

Evaluate control design and operational effectiveness

Evaluate Controls

Types of Assessments

Questionnaire Analysis• Analyze questionnaire responses and examine

provided evidence of controls in place• No testing of effectiveness occurs

Remote Control Validation

• Analyze questionnaire responses and examine provided evidence of controls in place

• For higher risk areas, request additional evidence that may include system screenshots, configurations, and/or reports to validate effectiveness of controls

On-site Control Validation

• Analyze questionnaire responses and examine provided evidence of controls in place

• For higher risk areas, perform on-site walkthroughs and perform observation of controls to validate effectiveness

5. Remediate

Tag ineffective controls and identify issues including those that underlie multiple control failures

Identify Findings

Prescribe necessary changes and track completion

Provide Recommendations

6. Report

Report on residual risk and remediation to support risk acceptance

Report on Residual Risk

Prepare views for board, management, and stakeholders responsible for risk acceptance

Prepare Final Reports

7. Monitor

Perform ongoing monitoring of controls, conditions, and SLAs

Ongoing Monitoring

Alert when remediation, re-segmentation, or a refreshed assessment is neededAlerting

Challenges and Solutions

Third-Party Inventory

Challenge: Relationships are initiated with third-parties all throughout the organization, and not all third-parties are centrally managed.

Solution: Inventory third-parties who have access to confidential information and ensure processes exist to alert the TPRM when all third-party relationships are initiated.

TPRM Resources

Challenge: Lack of adequate resources to manage third-party technology risk.

Solution: Augment assessment backlog and on-site assessments.

Automation of TPRM Process

Challenge: As the number of third-parties reach the hundreds, it’s not feasible for every vendor to be assessed in the same fashion.

Solution: Implement an automated risk assessment tool for assessing vendors.

Continuous Monitoring

Challenge: An annual snapshot of your vendor’s security is not enough to provide piece of mind that you’re identifying all key risks.

Solution: Implement a continuous monitoring process to ensure you’re identifying changes to the vendor’s security environment in real-time.

Key Takeaways

Key Takeaways

Use technology

Involve multiple stakeholders across organization

Define standard contract clauses

Design audience specific dashboards and reports

THANK YOU!

Stephen ChasserExperienced Consultant

Columbus Office

Carly DevlinManaging DirectorColumbus Office