Next Generation Third Party Risk Management

A strong third-party risk management (TPRM) approach includes a balance of comprehensive risk assessment processes, combined with the time required to perform such assessments. Historically, these processes have been performed by questionnaires emailed to third parties. GRC systems have sought to improve that process by automating. the questionnaire, but when it comes to cyber security related risks, that process is insufficient as the risk landscape changes daily. Automation and validation is essential.

Cyber risk scoring vendors released the first generation of automated third-party risk scoring almost a decade ago. That approach was fully automated with a score designed to help an enterprise understand the susceptibility of one of their third parties being breached by a cyber-attack. Those scores depended solely on passive scanning techniques and historical network traffic data. Unfortunately, many security professionals lack confidence in those scores due to the limitations of passive scanning and the inaccuracy of analyzed historical data. New technologies offer better ways.

A new way to perform TPRA

Next generation TPRM management solutions must solve the limitations of both a questionnaire-only approach and first-generation scoring. They need to support questionnaires for assessing non-technical controls, passive and active external assessments, as well as internal assessments to provide a comprehensive and timely view into third-party risk. Also, they need to allow a variety of approaches depending on the risk profile of a third party to your enterprise. This document outlines a recommended approach to maximize risk assessment and minimize the time involved.

Third-Party Classification

As with any enterprise TPRM program, your third parties need to be grouped according to the risks they pose to your organization and the nature of your relationship with them. The simplest approach is assigning a risk level. Historically this has been done based on the nature of the data a third party may hold, however, business interruption must be taken into account due to the prevalence of ransomware that can shut down your third parties’ operation.

When determining classification, there are several recommended questions to consider:

Level of criticality to your business operations including key systems such as payroll of core applications.
How do I verify the effectiveness of their security controls and compliance levels?
What data do they store/transmit/process? (PII, PHI, Cardholder Data, IP, etc)
Do they have access to my technology? (Infrastructure, network, etc.)
What is the impact to my business if their operations are disrupted due to ransomware, or other type of cyber-attack?
If they are breached, what is the potential reputational damage to my organization?
Are there other companies who can fill the same role?

While large enterprises may need a more sophisticated approach, for the purpose of this document, we will use a simple classification of Critical, Moderate and Low.

Methods for Risk Assessment

By using a NextGen cybersecurity risk assessment solution, the following methods or analysis would be included:

Comprehensive Technical Assessments:

Performing non-intrusive active assessments that scans an organization’s internet-facing infrastructure and applications (attack surface), identifying vulnerabilities and prioritizing them. Such an assessment also includes OSINT based assessments including dark web scraping for company credentials, threat intelligence, and historical breach reviews. This will provide a more comprehensive and accurate view on third-party risks.

Questionnaire Auto-Validation:

Framework-based questionnaires to validate third-party security controls may strictly follow standards that are included like SOC2, ISO 27001, PCI DSS, CCM, GDPR, CIS Controls, NIST CSF, NIST SP 800-171 and SIG LITE. They may also be customized to match your organization’s specific needs. The platform will provide a fully integrated approach in automatically validating responses submitted by third parties. This helps save significant amounts of time spent requesting and manually verifying the effectiveness of controls.

Configurable Risk Modelling:

NextGen cybersecurity ratings and risk management solutions have the ability to configure risk assessments models that best fit their risk impact visibility. You are able to select specific data attributes that are most concerning to your organization’s risk appetite and adjust levels of impact it should have against the third party’s risk score.

Conclusion:

For decades, the software industry has sought to improve manual processes, in turn, reducing errors and the time it takes to complete security assessments. Those efforts succeeded to some extent but did little to help improve the risk management results as assessments are still conducted annually at best.

First generation cyber scoring sought to automate this still-manual process. It succeeded at automation, but security professionals have learned that scores dependent on passively collecting historical data produce an inaccurate view of the cyber risk posture of a third party. Vendors are le􀅌 with no way to correct obvious problems they find, and the resulting scores provide far less value in the risk management process than originally hoped.

The next generation third-party risk management platform solves these problems by automating the questionnaire process while providing an active, automated assessment of a third party’s externally facing infrastructure. That, along with the ability for third parties to inform the automated process with validated adjustments, produce a cyber risk score that is a true indicator of risk while also reducing the resources required to have a world-class third-party risk management program.

Have any questions?

Book A Demo/Meeting with us