5.3 Third-party Risk Assessment

Third-Party Risk

Relationships involve sharing company data, some of which may be sensitive.

• Often work with third-party vendors, such as payroll providers, marketing services, or suppliers.

• Understand how they handle and protect your data.

• Assessment expectations should be clearly written into the contract, along with penalties for any breaches

Penetration Testing

A type of risk assessment

• May be required internally or mandated in contracts with third parties

• Often, a third-party security firm performs these tests on a regular schedule, providing detailed reports on system security and highlighting any weaknesses that need to be addressed

• Actively exploit vulnerabilities in systems or applications, rather than just identifying them.

Rules of Engagement

Formal documents created before a penetration test

• Outline what systems or areas will be tested—such as internal networks, external-facing systems, or even physical building access.

• Document also specifies the timing of the test, allowed testing hours, IP address ranges in scope, emergency contact details, and how to handle any sensitive data discovered

• Prevent confusion, ensure safety, and protect critical systems from unintentional disruption during the test.

Right-To-Audit Clauses

A contract provision that allows your organization to audit a third-party vendor’s security practices.

• Especially important when the vendor manages or has access to sensitive company data, like payroll or internet traffic.

• Makes it clear that audits will happen regularly and outlines how they will be conducted.

• Ensures both parties are aware of the security controls in place and confirms that the vendor is properly protecting your organization’s data.

Evidence of Internal Audits

Audits are often conducted by independent third parties rather than by the company or vendor directly.

• Might be required for compliance, especially when sensitive data is involved, but even without such mandates, regular audits are highly recommended

• Security-focused audits examine areas like access control, password storage, VPN usage, and offboarding procedures to identify gaps and recommend improvements

• Documentation from these audits serves as proof of due diligence and can help strengthen security practices

• Vendor relationships usually last a long time, these audits should be recurring to ensure ongoing security.

Supply Chain Analysis

Reviews every stage from raw materials to final product, identifying where security risks may exist throughout the process.

• Involves examining how goods and services move from vendors to customers, how teams across organizations communicate, and how security is managed between internal teams and third-party vendors.

• Document any process changes that occur during vendor relationships.

• The SolarWinds breach in 2020 is a prime example: malware was inserted into a software update and distributed to thousands of customers.

Independent Assessments

Bringing in a third party to evaluate your organization’s security practices from an external perspective

• Since internal teams are often focused solely on their own procedures, an outsider can offer insights that may be overlooked internally

• Experienced assessors can draw on knowledge gained from working with various organizations, helping identify unseen vulnerabilities and offering recommendations that improve overall security posture

Vendor Selection Process

Before partnering with a third party, organizations perform due diligence; evaluate the vendor’s reliability and claims.

• Includes verifying financials, customer counts, and possibly conducting background checks or interviews.

• Essential to maintain a professional business relationship and watch for conflicts of interest, such as connections to competitors, family ties to executives, or offers of gifts.

• These conflicts could compromise objectivity and may disqualify the vendor from consideration.

Vendor Monitoring

After a contract is signed, ongoing monitoring of the third-party relationship is essential.

• Includes regular financial health checks, IT security reviews, and tracking public information like news or social media.

• Different vendors may require a different monitoring approach, combining both quantitative and qualitative evaluations.

• A designated person or team within your organization is responsible for managing and monitoring these vendor relationships.

Questionnaires

Used in the vendor’s risk analysis and are regularly updated throughout the partnership.

• Help gather information about the vendor’s business practices, such as their due diligence process, conflict prevention, disaster recovery plans, and data storage and protection methods.