I have developed a risk-based management approach to third-party data security, risk and compliance methodology and published it to provide process guidelines and a framework for enterprises’ boards of directors and senior management teams to consider when providing oversight, examination and risk management of third-party business relationships in the areas of information technology, systems and cyber security.
My business relationships and the research that I went through, a number of professional surveys indicate that information technology and security managers, directors and executives report that significant data breaches are linked directly or indirectly to third-party access. Unfortunately, these security breaches are trending upwards.
I have also found that there is an absence of a structured and quantifiable methodology to measure the third-party risk to an enterprise and what expectations are required from the third party to substantiate the evidence that sound risk management is in place.
Types of Risk a Third Party May Have on an Enterprise
When a third party stores, accesses, transmits or performs business activities for and with an enterprise, it represents a probable risk for the enterprise. The degree of risk and the material effect are highly correlated with the sensitivity and transaction volume of the data.
Outsourcing certain activities to a third-party poses potential risk to the enterprise. Some of those risk factors could have adverse impacts in the form of, but not limited to, strategic, reputational, financial, legal or information security issues. Other adverse impacts include service disruption and regulatory noncompliance.
I have to emphasize that the third parties include, but are not limited to, technology service providers; payroll services; accounting firms; invoicing and collection agencies; benefits management companies; and consulting, design and manufacturing companies. Most third-party commercial relationships require sending and receiving information, accessing the enterprise networks and systems, and using the enterprise’s computing resources. The risk posed at different levels and the impacts range from low to very significant.
In my experience, it is critical to share with enterprise management teams that outsourcing an activity to an outside entity is by no means removing the responsibility, obligation or liability from the enterprise, but these outsourced activities are considered integral and inherent to operations. As a result, the enterprise is obliged to identify and mitigate the risk imposed on it by third-party commercial relationships.
I encourage subject matter experts and professionals with management responsibility to read my Journal article describing this methodology and the quantifiable representation, which is a risk-based management approach to third-party data security, risk and compliance, as shown.
Read Robert Putrus’ recent Journal article:
“A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance,” ISACA Journal, vol. 6, 2017