A Process Roadmap from Opus & OCEG
- May 19, 2017
Opus partnered with educational GRC think-tank OCEG to bring you this comprehensive yet concise process map of how you can apply third party information security policies, processes and technologies across your enterprise. Learn how to verify, remediate where necessary and monitor the effectiveness of third party controls, using sophisticated and mission-designed technology.
- Overview of the third party information security management process
- How technology helps
- Tips for doing it right
Compliance Week: Maintaining information security is more challenging as use of third parties who touch critical information has grown. What types of information and vulnerabilities should be front of mind?
Goldman: While the nature of threats and vulnerabilities
vary based on the context of the relationship and
type of service being outsourced, a vendor’s InfoSec
controls are going to depend on the systems and processes
they use to manage the data. New technologies,
such as cloud-based solutions and the Internet of
Things, and sub-contracting arrangements, which are
often unchecked or unknown, broaden access to the
data and expand the third-party threat landscape.
Compliance Week: Business operations, technology in use,
third-party relationships, and data privacy laws are
constantly changing. How do we keep up?
Goldman: Third-party risk management programs
must be aligned with business objectives. That way, no
matter what events occur that expose new risks, the
program is always focused on what matters most—protecting
the business. Processes must enable organizations
to identify their critical third parties and tailor
due diligence activities to the risk imposed by the relationship.
To prepare for a change in a third party’s
risk posture, companies must identify the factors that
increase risk and include them in monitoring for the
life of the contract.
Compliance Week: What are the first steps any company should
take in building its third-party information security program?
Goldman: It is critical to build a control library that
defends against the risks the company is exposed to,
defining controls relevant to each risk caused by each
outsourcing service. Relying on third-party attestations
may be acceptable for low-risk relationships, but
for any critical or high-risk service, companies themselves
must validate the effectiveness of vendor controls.
They can outsource portions of the process by
hiring a managed service to do assessments or rely
on IT threat intelligence to actively monitor third-party
networks for signs of security issues, but fully outsourcing
risk management is not possible—the company
must always evaluate the effectiveness of vendor
controls in relation to its risk tolerance.
Compliance Week: What is a key mistake you see companies
making, and what do you recommend to correct or
Goldman: Many think taking a “one size fits all” check-the-
box approach will cost less. Although this simplifies
the process, it can create unnecessary work,
particularly if there are many manual steps. Instead,
third-party risk programs hampered by a lack of budget
and resources should be carefully tailored to the
business’ needs. We’ve seen many under-resourced
programs overcome this challenge by outsourcing the
risk assessment process to cost-effective managed
service providers and relying on technology for automation