Incorporating Information Security Risk Assessments into the Third-Party Risk Management (TPRM) Process

Incorporating Information Security Risk Assessments into the Third-Party Risk Management (TPRM) Process

Incorporating Information Security Risk Assessments into the Third-Party Risk Management (TPRM) Process
 Incorporating Information Security Risk Assessments into the Third-Party Risk Management (TPRM) Process
 

 
For more information about Third-Party Risk Management (TPRM), please refer to the Beginner’s Guide to Vendor, Supplier, and Third-Party Risk Management.
When choosing to outsource various functions or processes to third-parties, organizations should incorporate information security risk into the third-party risk assessment process. Information security is the practice of preventing internal and external parties from unauthorized access and use of company proprietary information and sensitive data. The purpose of information security is to protect the Confidentiality, Integrity and Availability of data and information, otherwise known as the CIA Triad. 
 
Download Also:
When organizations outsource functions or processes to third-parties, there exists an opportunity for third-parties to compromise company proprietary information and sensitive data. By incorporating information security risk assessments into the TPRM process, organizations can assess whether third-parties possess adequate practices and controls to prevent the unauthorized disclosure, disruption, modification, inspection, recording and destruction of company proprietary information and sensitive data. Organizations should evaluate the following control areas below when completing information security risk assessments. 
  • Information Security Policies and Procedures: Determine whether third-parties have documented information security policies and procedures. Risk assessors should ensure that information security policies and procedures align with industry and regulatory standards such as the ISO 27000 family of standards, NIST, PCI DSS, OCC, etc. It is important that risk assessors also evaluate whether the information security policies and procedures of third-parties are approved and managed by the appropriate parties such as an information security manager and a company Chief Information Security Officer (CISO). Third-party documentation should prove that third-parties review and update their information security policies and procedures on an annual basis.
  • Privacy Policies and Procedures: Determine whether third-parties have documented privacy policies and procedures. Risk assessors should ensure that information security policies and procedures align with industry and regulatory standards such as the ISO 27000 family of standards, NIST, PCI DSS, GLBA, HIPAA, etc. It is essential that risk assessors also determine whether the privacy policies and procedures of their third-parties are approved and managed by the appropriate parties such as a privacy manager and a company Chief Privacy Officer (CPO). Third-party documentation should prove that third-parties review and update their privacy policies and procedures on an annual basis.
  • Risk Management Policies and Procedures: Determine whether third-parties have documented policies, procedures and controls to protect themselves and their clients from financial and reputational losses. For example, risk assessors should verify if their third-parties maintain enterprise and/or operational risk frameworks that include approved risk assessment processes and procedures. Adequate risk assessment processes and procedures ensure that inherent and residual risks are properly identified, analyzed, assessed, mitigated, and monitored as recommended by industry standards such as ISO 31000 or the COSO Framework. Risk assessors should also verify if third-parties outsource to other organizations. If third-parties outsource, risk assessors should assess whether third-parties maintain adequate third-party risk management programs to properly identify, analyze, assess, mitigate, and monitor third-party risks. Third-party documentation should also prove that third-parties incorporate proper contractual language that references right-to-audit clauses, information security, privacy, business continuity, disaster recovery and compliance standards. In addition to proper contractual language, there should exist sufficient evidence that third-parties review and update risk management policies and procedures on an annual basis.
  • Business Continuity/Disaster Recovery: Determine whether third-parties have documented policies, procedures and controls to ensure that they can honor their contractual obligations in the event of business disruptions due to operational failures, natural or man-made disasters. For example, risk assessors should verify that third-parties have business continuity and disaster recovery (BC/DR) plans that are reviewed and updated on an annual basis. In addition to verifying the annual reviews and updates of BC/DR plans, there should exist documented evidence that proves whether third-parties conduct BC/DR testing on an annual basis. To verify BC/DR practices and controls, risk assessors should leverage SSAE18 documentation to determine if third-parties utilize BC/DR sites within and outside the country. It is essential to also determine if third-parties perform back-ups of systems on a consistent basis.
  • Human Resources Security: Determine whether third-parties have documented policies, procedures, and controls to verify the backgrounds of third-party employees and contingent workers who access company proprietary information and sensitive data via third-party systems and networks. For example, risk assessors should ensure that third-parties conduct background checks on all employees and contingent workers prior to starting employment. They should also verify that employees and contingent workers undergo information security, privacy awareness and code of conduct training within the first thirty days of employment and on an annual basis thereafter. In addition to verifying training, there should exist documented evidence that employees and contingent workers sign non-disclosure agreements (NDAs) and confidentiality agreements prior to starting employment. For employees and contingent workers that violate information security, privacy, and code of conduct standards, risk assessors should ensure that third-parties enforce disciplinary actions due to non-compliance. It is essential to also verify whether third-parties review and update their Human Resources policies and procedures on an annual basis.
  • Asset Management: Determine whether third-parties have documented policies, procedures and controls that indicate how third-parties identify and manage company assets that hold company proprietary information and sensitive data. For example, risk assessors should assess whether third-parties utilize information classification schemes and inventory systems to label and track hardware and software assets throughout the asset life cycle. It is also important to verify that third-parties review and update asset management policies and procedures on an annual basis.
  • Access Controls: Determine whether third-parties have documented policies, procedures and controls that dictate how data and information assets are accessed and utilized by employees and contingent workers. For example, risk assessors should verify that third-parties utilize data and information classification schemes to identify and label various types of data and information. They should also verify that data and information classification schemes dictate access rights for employees and contingent workers. In addition to verifying data and information classification schemes, third-party policies and procedures should prove that third-parties utilize multi-factor authentication versus single-factor authentication when employees and contingent workers need to confirm their identities to access third-party systems and networks. Risk assessors should ensure that third-parties require employees and contingent workers to utilize unique user IDs, create passwords according to established password schemes, and change passwords every ninety days. Third-party policies and procedures should discourage the sharing of passwords and user IDs. In addition to user ID and password management, third-parties should also demonstrate in their documented policies and procedures that they monitor user access logs every ninety days and that all user IDs for terminated employees and contingent workers are deleted after ninety days. Access control policies and procedures should apply to all devices such as desktops, laptops, PDAs and mobile devices. As a result, risk assessors should review acceptable use and remote use policies and procedures to determine if access control rules apply. There should also exist sufficient evidence that access control policies and procedures are reviewed and updated on an annual basis.
  • Cryptography: Determine whether third-parties utilize proper cryptographic controls to protect company proprietary information and sensitive data from unauthorized access and use. For example, risk assessors should verify that cryptographic practices and controls utilized by third-parties adhere to FIPS 140-2 standards. They should also ensure that third-parties encrypt data-in-transit, in motion and at rest.
  • Physical and Environmental Security: Determine whether third parties have documented policies, procedures and controls to prevent unauthorized access to facilities and data centers. To ensure adequate physical and environmental security standards, risk assessors should verify that third-parties require employees and contingent workers to utilize biometric scans or scan cards to enter operational facilities and data centers. Risk assessors should also determine if third-parties utilize visitor logs and request government ID to verify the identities of visitors. In regards to proper security measures, risk assessors should also ensure that third-parties employ CCTV cameras and security guards to protect operational facilities and data centers. The documentation should also prove that third-parties review and update physical and environmental security policies and procedures on an annual basis.
  • Network and Operational Security: Determine whether third parties have documented policies, procedures and controls to prevent unauthorized access to third-party networks and systems. For example, risk assessors should determine if third-parties utilize firewalls to filter incoming data and information from the internet into the company network. They should also ensure that third-parties perform penetration testing semi-annually or annually to determine the possibility of malicious activity. In addition to penetration tests, third-party documentation should confirm that third-parties conduct vulnerability assessments semi-annually or annually to identify weaknesses within the network. Risk assessors should determine if third-parties utilize data loss prevention (DLP) systems to prevent data breaches and data leakages. DLP systems should include intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify, detect and prevent any malicious activity and information security policy violations. Third-party DLP systems should also include the use of firewalls and antivirus software. Risk assessors should also verify that third-parties maintain incident and notification management programs where information security, business continuity, disaster recovery incidents are reported to the appropriate internal and external parties within 24-72 hours. Incident and notification management programs should include or reference communication plans in the event of an information security event, business disruption, or disaster. In addition to incident and notification management, risk assessors should ensure that network and operational security policies and procedures include change management processes and procedures that dictate how third-parties ensure that changes in IT infrastructures, systems and networks do not expose third-parties or their clients to information security risks. Third-parties should demonstrate that network and operational security policies and procedures are reviewed and updated on annual basis.
  • System and Software Acquisition, Development and Maintenance: Determine whether third-parties have documented policies, procedures and controls to acquire, develop and maintain systems and software. For third-parties that provide software applications, risk assessors should determine if applications are internally hosted solutions, cloud-based solutions (i.e. SaaS, IaaS, or PaaS), or traditional web-based applications (i.e. eBay, WebEx, online banking application). Third-party documentation should also demonstrate whether third-parties utilize systems or software development life cycle (SDLC) or Agile methodology to build and maintain technological products. In addition to verifying the use of SDLC or other methodologies, risk assessors should also confirm if third-party systems and software applications incorporate information security and privacy standards during the development and maintenance phases. Risk assessors should also ensure that third-party systems and software solutions undergo quality assurance (QA) testing or User Acceptance Testing (UAT) and code reviews prior to deployment. They should also determine if third-party patch management processes and procedures are designed to improve systems and software solutions and to fix security vulnerabilities. In addition to patch management policies and procedures, third parties should prove in their documentation that systems and software acquisition, development and maintenance policies and procedures are reviewed and updated on annual basis.

Leveraging Other Risk Assessments  

When evaluating the information security practices and controls of third-parties, it is essential to consider the other risk assessments conducted during the TPRM process. By leveraging the other risk assessments during an information security risk review, risk assessors gain a wholistic perspective of the information security practices and controls of third-parties. Some of the risk assessments to consider are listed below.
  • Risk and Control Self-Assessments (RCSAs): Risk assessors should review any risk control self-assessments (RCSAs) completed on outsourced functions or processes. RCSAs should include assessments of any controls in place to protect the organization from operational risks associated with outsourced functions or processes.
  • Financial Risk Assessments: When assessing the information security practices and controls of third-parties, it is essential to consider the financial health of third-parties. In general, third-parties with strong financials possess the resources to implement and maintain effective information security controls. To conduct financial risk assessments, organizations should request and analyze audited financial statements, public regulatory filings such as 8-K, 10-K, 10-Q and any other documentation that speaks to financial health. For a list of tools that provide financial risk assessments, please refer to the last slide in Beginner's Guide to Vendor, Supplier and Third-Party Risk Management.
  • Reputational Risk Assessments: Risk assessors should also consider the reputations and brands of third-parties when conducting information security and privacy risk assessments. Third-parties with strong reputations and brands have a vested interest to implement and maintain effective information security standards. Without adequate information security standards, third-parties expose themselves to the possibility of data breaches which damage and undermine their reputations with regulators and consumers. Risk assessors should review reputational risk assessments for the following information: law suits, regulatory issues, bankruptcies, data/privacy breaches and any other relevant information from respectable news sources. Reputational risk assessments should include news sources from 90 days to 36 months. For a list of tools that provide reputational risk assessments, please refer to the last slide in Beginner's Guide to Vendor, Supplier and Third-Party Risk Management.
  •  Compliance Risk Assessments: When evaluating the information security practices and controls of third-parties, risk assessors should review compliance risk assessments that demonstrate whether third-parties comply with information security and privacy regulations. If a third-party cannot comply with regulatory and industry standards from an operational perspective, it may indirectly indicate that their information security standards do not meet industry and regulatory requirements. Therefore, risk assessors should verify that third-parties meet their compliance obligations as it indicates indirectly whether they possess the resources to implement sufficient information security controls that protect their clients from data breaches and leakages.

Conclusion

Overall, information security represents an important part of the TPRM process. Publicized incidents such as the Equifax data breach in September 2017 demonstrate how inadequate information security standards and practices can undermine the reputation of an organization from a financial and regulatory perspective. If third-parties experience information security incidents, regulators hold the organizations that utilize the third-parties legally and financially liable as third-parties represent extensions of the organizations that utilize them. 
 
Therefore, organizations should invest in creating TPRM programs that incorporate information security risk assessments to ensure that third-parties do not expose them to financial and reputational losses. By incorporating information security risk into the TPRM process, organizations can proactively work to mitigate and to monitor third-party information security risks that could potentially undermine their strategic objectives. 

Related Topics:

                                              Catherine Tibaaga
About:
I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers. 
I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards). 

My core expertise includes: 
Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework
Previous Post Next Post

Comments