Tackling the Challenges of Managing Third Party Risk Assessments

Tackling the Challenges of Managing Third Party Risk Assessments

Performing information security risk assessments for third parties has become recognized part of the annual compliance and risk management plan in many companies, particularly in highly-regulated industries. While conducting risk assessments is a day-to-day activity, there are several problem areas that can limit the effectiveness and meeting overall program targets.

What are some of the challenges companies face in developing or managing a third party risk management program?

1. We have thousands of third parties in our company. How do we prioritize vendor risk assessments to address the highest risks first?

Third Party Tiering Since One Size Does Not Fit All

Managing third party risk is a critical challenge facing Information Security leaders today. High-profile data breaches are reported regularly in the media. Regulators are increasing the focus on requirements for identifying and managing risk for third parties, particularly for financial services and retail corporations. In line with added scrutiny on cybersecurity and data breach practices, boards of directors are more frequently raising questions about the state of controls for critical third parties.

Establishing a third party risk management program means tackling several problems, such as the sheer number of third parties to assess. Using a disciplined approach and best practices such as third party tiering can help to reduce the problem to a more manageable size.

What is third party tiering?

Governance around Privileged Account Management

Governance around Privileged Account Management

In today's day and age, Privileged account (read as accounts that can really create havoc) has become a nightmare to manage. While automation is required using tools like CyberArk, Arcos etc., it may not be sufficient. So how do you really provide governance around such accounts?
Firstly, we need to understand that there are different types of privileged accounts.

GRC Part 1: Informed Decision Making

Governance, Risk and Compliance can be a challenging area for CIOs and CISOs to navigate. With the board of directors and C-suite as key stakeholders, the ability to deliver results through the complex GRC environment is now more critical than ever.
What has your GRC done for you lately?
Let's look at an example of a typical month for the CIO and CISO. Due to publicity of recent data breaches in the industry, you are scheduled to deliver an Information Security update at the next Audit Committee meeting.
1. The annual IT security risk assessment is complete and the results have been presented. The external risk consultants worked with internal teams to identify risks and weaknesses. You have captured the high points for the Audit Committee presentation.
2. You plan to make sure the enterprise risk register is up-to-date with findings, remembering to check in with the SOX and PCI teams. What is the status of PCI 3.0 readiness?

Subscribe to RSS - Governance