What is a TPRM strategy and what is the ideal workflow for getting started assessing vendors' risks?
When it comes to cybersecurity, outsourcing, or the use of third parties, inherently comes with risks. These risks include everything from operational risk to compliance risk. Although you will never be able to eliminate all vendor risks, you can manage it by identifying and mitigating the risks with each vendor. Third-Party Risk Management (TRPM) is an ongoing evaluation process for organizations that want to manage the risks that occurs with using vendors and outsourcing services and products. A TPRM strategy helps shine a light into areas of potential business risks. One key component of TPRM includes Third-Party Vendor Assessments.
A Third-Party Assessment (TPA) or Vendor Assessment (VA) is an assessment that evaluates the risk associated with an organization’s new and ongoing vendors. When outsourcing any product or service, organizations should identify the risks of working with a particular vendor or third party. The risk rating an organization assigns to its vendors could be based on:
- The type of data, like Personally Identifiable Information (PII) or Nonpublic Personal Information (NPI).
- Services that the vendor provides that assist the organization to maintain compliance with laws, regulations, and standards, such as GLBA, HIPAA, PCI-DSS, CCPA, GDPR, etc.
- Any other critical factors that an organization deems aligns within its risk profile.
A properly designed and implemented TPRM program will help identify and manage the risk of all your organization’s vendors. To help you get started, we’ve outlined the workflow for getting started with your Third-Party Risk Management Program.
Design a TPRM framework
Given its general acceptance within both the federal and commercial sectors, at MindPoint Group, we use the National Institute of Standards and Technology (NIST) Special Publication 800-53 as the risk management framework for our security assessments. During an assessment with your organization, MindPoint Group will work to develop/implement additional organization-specific security controls to the framework that addresses your organization’s industry requirements. Once complete, the risk management framework is utilized to assess vendors to ensure regulatory requirements are in place, address risk pertaining to the organization as a whole and at the product and/or service level.
An important question to consider at this point in the process is: Who is considered a third-party for my organization?
Create a list of all third-party vendors
Maintaining a central repository of all the vendors that are providing services or products to your organization is essential. From vendors who provide core business functions to smaller vendors providing support services, all vendors and the services they provide should be documented. Each department will need to be involved in this process to identify areas of risk and where the vendors and the services they provide potentially overlap. It is crucial to maintain transparency through each step of the TRPM process, so no stone lays unturned. Remember, risk can come from any vendor, no matter the size.
Classify each vendor
Now that a vendor list is created, each vendor needs to be classified using some type of risk rating, many organizations choose high, medium, low, some organizations use A, B, or C. Develop an intuitive rating system and be sure to communicate it to all stakeholders within the organization. Identify the risk based on the systems, networks, and data the vendors have access to.
For the purposes of classifying all your organization’s third parties, MindPoint Group can assist with developing a vendor onboarding and an annual questionnaire. This process is essential for capturing important details regarding the service, such as information on the location and level of data stored/processed and various other elements that dictate the type of assessment required.
The classification may also depend on the service or the product solutions the vendor provides. You can classify vendors based on the following questions:
- What service or product does the vendor provide?
- Who owns/ manages the vendor relationship?
- Does this vendor provide any core business services?
- What data does this vendor have access to? Confidential, Private Data, Corporate Financial, Sensitive, Public, PII?
- How much data does the vendor have access to?
- What access to data does the vendor have? Is vendor access to that data required?
- Does the vendor have a fourth-party provider for any of the services they are providing?
Calculate the risk the vendor has to the organization
Every vendor poses different risks to the organization. Vendors who provide critical business processes or have access to sensitive data pose a larger threat to the organization than vendors with limited access. If you’re examining a new vendor, it may be difficult to calculate the risk since you’re probably less familiar with the cybersecurity processes they have in place. This is where a Third-Party Assessment (TPA) is performed to identify the risks of the vendor from a managerial, operations, and technical standpoint. Once the risks are identified, they can be calculated the likelihood they may occur and their impact if they happen. Once you enter these inputs, you can determine how much your organization should spend to mitigate each risk. It is best practice to perform a TPA on an annual basis for your high and medium vendors to address previously identified risks and to identify new risks.
Assign a security risk rating to each vendor
Based on the risks of each vendor, they will be assigned a security risk rating. Once a security risk rating is assigned, senior management should prioritize the higher-risk vendors and risks associated with that vendor. For the varying risks, the organizations should follow the guidelines for the risk categories:
- High – Develop corrective measures immediately
- Medium – Develop corrective measures within a reasonable time period
- Low – Decide whether to accept the risk or to mitigate
High and medium risk vendors are considered any vendor who handle critical business operations or work with sensitive data. Lower-risk vendors would be any vendors who have limited to no access to sensitive data or do not interact with critical systems and networks.
Areas of High Risk
TPAs can identify certain areas of your risk profile as “high risk” when an assessment is completed. This can include an organization’s cybersecurity practices, or their business continuity and disaster recovery planning. Once these higher areas of risk are identified, the organization can place additional controls in those areas. If the assessment was performed pre-contract, the organization should enforce the vendor to mitigate or remediate the high risks before contractually committing. MindPoint Group will then perform additional testing as needed to ensure that the correct remediation of the vendor took place.
Performing TPAs is best practice and is the first step to identify any potential unwanted risk. TPAs are essential for businesses to help combat and avoid costly and unanticipated breaches or incidents in the future by knowing the risk upfront and, acting on them.
Ideally, these assessments will help set a foundation for your cybersecurity strategy, so you can identify where additional controls are needed and limit your exposure to risk.
Address the security risks
Once all the vendors have been identified and associated with a risk rating, management can decide how to respond to each vendor accordingly. Risks within each vendor can be accepted, refused, mitigated, or transferred. All risks, regardless of the designation, need to be thoroughly documented for management review and an official record of risk. Implementing controls like utilizing encryption, firewalls, and multi-factor authorization can help protect assets and help mitigate risk. It is essential to address risks by writing your controls and your requirements into your contracts with your vendors, so they understand expectations and take action when needed. It is crucial to monitor your vendors on an ongoing basis to ensure they are implementing and mitigating risks that may arise.
- Assist your organization in developing a TPRM program
- Guide your organization through the assessment framework development process
- Assist with developing templatized documentation for the entire process
- Contact your third-party vendor to schedule the assessment
- Work with your teams to gather preliminary assessment information, documentation, and if available, evidence
- Conduct assessments, either on-site, remote-based, or reliance testing
- Develop assessment findings report for your organization
- Brief you and your vendor of all assessment findings
As a best practice, it’s important to note that vendors should be assessed on an annual basis, as risks can change over time.
Additional TPRM Resources:
*Special thanks to Bilal Khan and Nick Vaccariello for help with this article as well!