ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > How to Approach Mitigating Third-Party Risk

How to Approach Mitigating Third-Party Risk

Jan Anisimowicz, PMP, CISM, CRISC, Director, Audit, Risk, and Compliance, CandF Sp z o.o.
| Posted at 3:03 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (0)

Jan AnisimowiczVendor management comprises all processes required to manage third-party vendors that deliver services and products to organizations. Significant effort is required from both the enterprise and the vendor to maximize the benefits received from the service and/or product while simultaneously mitigating associated risks.

Keeping in mind the increasing scale, scope of services and complexity of these vendor services, the related risks and importance of effective vendor management also proportionately increase. For example, in GDPR, if the data processor does not follow some organizational compliance requirements and a data breach happens, the organization will face the risk of paying severe fines.

Third parties seem to be one of the weakest links in enterprises’ security policy. Every day, cyber-related incidents such as data breaches occur, leading to serious incidents that can have significant impact on the enterprise. As a result, organizations have devoted more and more resources to vendor risk management, but this is mainly a manual process. Despite vendor risk mitigation being crucial for each organization, most of the enterprises still know almost nothing about their vendors.

While talking to representatives of dozens of organizations that use third-party services, I noticed that they often initially underplayed the importance of this topic. It was only after we had discussed key issues related to the tasks performed and services rendered by third parties, as well as their implications, that my interlocutors began to notice the true weight of the issue at hand. Usually the most important questions are: How do we start the process? What are the initial steps?

Below are my recommended tips that could support your initial activities in the vendor risk management process:

Compile a List of All Your Vendors
Commonly, the main obstacle is limited knowledge of your providers, especially the smaller ones that provide goods or services of lesser monetary value or to a narrow business niche. However, it is my opinion that an organization should have a thorough knowledge of all its business partners, in all areas of their operation. Moreover, this information ought to be kept in a single database. At this point, I would like to point out a common challenge for large organizations. It is highly possible that some vendors could be managed by “shadow” engagements, not included in the official database. Knowledge of these is important to ensure the risks are addressed. “Shadow” vendor management initiatives could significantly limit the single version of the truth about the vendors and could create severe risks that are complicated to mitigate. To avoid (or at least to reduce) this kind of problem, organizations have to focus on a formal vendor management process with strong support from the C-suite.

Create a List of Services You Consider Relevant to Your Organization
When the consolidated list of vendors is ready, it is recommended to create list of services that they deliver. This list ought to include the entire area where your organization receives support from outside contractors. Each service should be accompanied by an indicator of its significance to your operations (a finite numerical scale or a set of quality descriptors are recommended). Rating the business importance of all services will allow you to make each vendor’s risk profile more precise. Knowing who performs the services for your organization is an important step in limiting the risk of potential data leakages.

Editor’s note: Anisimowicz will present further insights on this topic at the 2019 GRC Conference, to take place 12-14 August in Ft. Lauderdale, Florida, USA.

Comments

There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.
Email