Managing third party risk is a critical challenge facing Information Security leaders today. High-profile data breaches are reported regularly in the media. Regulators are increasing the focus on requirements for identifying and managing risk for third parties, particularly for financial services and retail corporations. In line with added scrutiny on cybersecurity and data breach practices, boards of directors are more frequently raising questions about the state of controls for critical third parties.
Establishing a third party risk management program means tackling several problems, such as the sheer number of third parties to assess. Using a disciplined approach and best practices such as third party tiering can help to reduce the problem to a more manageable size.
What is third party tiering?
Suppose that your company has hundreds, or thousands, of third parties. For all of the IT service providers, HR/legal/financial consulting firms, commercial services firms, (and yes cleaning companies), how would you know which ones present the most information security risk to your organization? Where would you start?
Tiering is a method of prioritizing risk management activities for your company’s third parties. By consistently applying a tiering model to the list of third parties, you will be able to more effectively target third parties with the highest potential risk profile to achieve the goal of identifying, remediating, and managing risks.
The tiering methodology used should be tuned to the industry and risk tolerance of your organization. Your tiering model should take into account the degree of operational dependency, highly-regulated / sensitive information, access to data and systems, and potential brand / financial impact.
How is third party tiering used?
Third party tiering can be applied prior to conducting a risk assessment. Setting the right tier for a third party is useful in adjusting the level of scrutiny and frequency of the risk assessment needed.
- Type of assessment – For the lowest tiers, you may be able to leverage a questionnaire that is filled out by the third party and reviewed by the risk management team. For the highest tiers, the level of scrutiny increases through the potential for onsite validation of controls, vulnerability assessment, penetration test, etc.
- Frequency of assessment – Adjusting for the risk tolerance of your company and the emphasis by regulators, the frequency of review is often set first for the highest tier (in some cases, annually) with less frequent assessment for lower criticality tiers.
Once a third party risk assessment is complete, the tier assigned to the third party should be reviewed and updated based on additional information found in the risk assessment.
By maintaining a list of tiered third parties and reviewing the list every 6 to 12 months, the opportunity to budget and plan risk assessments over time becomes even more useful.
After a representative sample of third parties have gone through the tiering step, you can check your results to make sure they are reasonable. For example, if your company that is heavily concentrated on regulatory and supply chain risks, you should consult with your Compliance and Logistics teams to ensure that the prioritized list of third parties makes sense.
What if a central database of third party information doesn’t exist in your company?
In highly regulated industries such as banking, performing risk assessments for third parties has become a recognized part of the compliance and risk management plan. Organizing third party/vendor information has become a routine day-to-day activity in many cases. However, in companies that are new to third party risk assessments, there may not be a single list of third parties or vendors to allow for a quick start.
Engaging with Procurement, Legal, and commercial areas is most often the best way to gain the internal support needed to identify your company’s full list of third parties. The lack of visibility to third parties can not only be a very large challenge, but also underscores the information security risk since the underlying risks to the organization may be hidden.
How is third party tiering used in reporting results?
As findings, recommendations, and remediation plans are compiled and tracked in the post-assessment process, use of heat maps to report results based on third party tiers can help to focus resources needed for remediation and further risk assessment activities.
Reporting to senior leadership and the board is an important step in the risk management cycle. Details should include a list of the most critical (highest tier) third parties, risks posed to the company, status of remediation, and program highlights. By mapping risks to key business processes and strategic plans, you will be create an important link from your third party risk management program to business success.
What are the benefits of applying a tiering approach and other best practices?
Tackling the challenges posed by a large number of third parties is made simpler through a tiering methodology. By implementing a best practice approach for third party risk management, the stage is set to more quickly identify topline risks to the organization, prioritize and target risk management activities, and improve governance processes. Building a third risk management program that effectively manages risks and safeguards the business can become a reality.
Authored by Paul Quanrud