S3 E4: Building a Third-party Risk Management Program

Audio version

Building a Third-party Risk Management Program

Transcript

Jordan Eisner: Welcome everybody, another episode of Compliance Pointers. I am joined today by Steve Haley, our Director of Cyber Services. Steve, good to have you on.

Steve Haley: Thanks, Jordan. It’s good to see you. Happy New Year, starting off the new year, right?

Jordan Eisner: Happy New Year to you as well. Yeah, hard to believe it’s almost February. We’re a week away from the last day in January.

Steve Haley: Yeah, it seems to move faster the older you get, Jordan.

Jordan Eisner: Man, that’s scary.

Steve Haley: Yeah. So what’s our topic today, Jordan?

Jordan Eisner: You already know. We’re talking about third-party vendor risk management. The topic, I think, is very near and dear to you, not just because of what you do at CompliancePoint, but because of your previous experience at other organizations and 20-plus years in cybersecurity.

And so we’re going to talk about what I think is probably high-level stuff for our listeners and viewers, but it’s stuff that I’ve seen over the course of my 10-plus years in this industry that continues to be looked over, continues to be brushed to the side, continues to get organizations in trouble.

And there’s just no clear answer, it seems, for what’s the right balance? What’s too much vendor management? What’s too scrutinizing? What’s filtering them out too much based on their security maturity? And what’s not enough? And how do you balance that? What are the best practices for it?

So we’re going to do a quick snippet today. It’s going to be mainly you talking, per usual, because there’s not so much they can learn from me about this topic. But I’ve got some questions and some things in mind that you and I have discussed before this for our audience and our viewers. I’ll take this time to remind them all that this is a CompliancePoint podcast, as you can see by the logo behind you. And Steve is a CompliancePoint employee. However, this is really meant to educate the marketplace, educate customers and prospects alike, partners, competitors, other organizations. I think everybody can benefit from this sort of knowledge, whether that means they come to work with us one day or they never do. I think it’s good for everybody involved.

Steve Haley: And I would agree with that. And regardless of the topics that we cover, we’re just trying to help the community out and be good stewards in the security practice areas. This is a really interesting topic.

But, you know, there’s a lot of news around third parties and the risk that third parties pose to organizations. And actually, it’s a critical relationship to most businesses. So it really is an important area.
For those that don’t watch the news, you know, or I should say for those that do watch the news, I mean, you see a lot of breaches coming across the newswire and a significant amount of those are actually created through a third party.

Jordan Eisner: Right. Not by the organization that is deemed to be at fault. Or liable or responsible, whether it’s their brand reputation or some sort of financial consequences or any of the above. You’re right. In a good number of those cases, it was their vendors.

And so you could argue it was a lack of due diligence or, you know, an oversight or lack thereof. You know, how you use that word, what they were doing.

But I think you answered my first question, right, which is why is third-party risk management important? I think that’s maybe a rhetorical question. But you know, there’s it’s about liability. It’s about protecting your customers, your data, any sort of sensitive information, data or whatnot, trade secrets you have and the activities that your vendors are doing or are performing on your behalf. That could potentially get your organization in hot water.

I mean, would you would you give any other reasons other than that, I know that’s pretty broad.

Steve Haley: I mean, a third-party risk management program, an effective third-party risk management program, you know, really should be designed in a way that actually ensures the organization can effectively manage and mitigate the risks associated with, you know, their customers data and or downstream, you know, entities, i.e. third parties and or, you know, other business relationships that you’re entrusting them with client data as well.

And so ultimately, the importance of a program is to protect sensitive data, comply with regulatory compliance. I mean, there’s a lot of, you know, compliance and regulatory components and safeguards that are now being pushed down to the businesses that they need to comply with. And third parties come into that mix as well.

I would also say, you know, having an effective program provides some level of operational resiliency because it’s required and some levels to be able to ensure that, you know, you’re protecting data not just in one location, but maybe in multiple locations. And that’s where the resiliency comes in.
And then at the end of the day, it’s really safeguarding, you know, your reputation and maintaining that trust relationship with your, you know, B2C business to customer relationships and B2B, you know, business to business relationships.

So, you know, really is a critical component in any organization’s, you know, security program.

Jordan Eisner: Well put. It’s a critical component in the workings of any organization. That’s what you just said.

But what are the critical or core components of third-party risk management program?

Steve Haley: It’s a good question. You know, we go into a lot of organizations that, you know, have different levels of maturity as it relates to third-party risk management.

We go into some that don’t have any. We go into some that may have some components. And then we go into others that are very mature. And I think can always mature better than what it is today.

But when we take a look back and we look at the core components that are required, you know, in a, in an effective doesn’t mean to be it needs to be the best. Because everybody’s at different maturity levels, smaller companies and bigger companies. The first and foremost is establishing, you know, policies around third-party risk management and into and really defining a governance structure for the program itself. Those are, you know, starting the gate out like that is very critical.

You have to have the policies and governance in place, organizational-wide, not just an IT or a security function. It’s actually organizational-wide.

Jordan Eisner: That makes sense. You can’t really dictate how you’re going to treat a vendor or what hoops you’re going to make them jump through what sort of scrutiny you’re going to look at with until you set the bar as an organization on what your policy or risk appetite is really in working with a vendor.

Steve Haley: And that really gets into the next really core component, which is really identification of the vendor scope. What’s the scope of the program?

I’ve gone into programs where their scope is, you know, only, you know, critical vendors that they monitor. Others have a scope that may say only vendors over $10,000 will be put into the program. So, you know, there’s flexibility on how to design all that. Again, you know, risk tolerance to the organization really comes into play here.

You know, so, you know, identification of the vendor scope and the potential risk to the organization is really one of the.

Jordan Eisner: Not just size, but what they’re doing, how they’re working with you, what sort of data they’re processing for what purpose.

Steve Haley: What type of access, right? If that vendor went away, what’s the risk to the organization? You know, companies come and go.

I’m a fan of a tiered approach when it comes to vendors. And we’ll get into this a little bit more as we go through this, but, you know, not every vendor is the same, right? So, it’s based on access, based upon what data, the criticality to the organization, you know, those types of components that go into an effective vendor management program and tying that and the likelihood together really starts to build out a profile.

Jordan Eisner: So policy, you know, inventorying or assessing of the vendors and then really departmentalizing them or creating a program based on the certain risks they pose are the core components, which leads to the next question, what you were just getting at. What’s the most efficient or effective way to then assess a vendor you’re onboarding or considering onboarding or adding to the organization? Their security posture, right? And the risks they pose to your organization, A, based on what they do, how they’re going to do it and with, you know, what company information they’re using, but then also B, all right, this is what they are. It’s highly critical based on the type of organization they are, their size or their scope. Now how do we assess how adept they are or adequate they are from a security posture standpoint?

Steve Haley: typically once we get through the exercise of identifying the vendors, really internally looking at the risks to the organization based upon what they have access to, what services they provide, you know, will that service interrupt your business, things of that nature? Then we’re putting them into what I like to call the tier buckets, right? High, medium, low, just for the sake of argument, right?
High being my most critical vendors, moderate or medium being those mid-tier vendors and then low vendors are really those low-risk vendors, right? It could be the person coming in and watering the flowers in the organization, right? They still a vendor, they’re still having physical access potentially to the organization, but they’re extremely low-risk at that point, right?

So once we get that all defined, really the next step is to define a questionnaire, a profile and a questionnaire that meets the criticality that they pose to the organization.

Personally, I like to tailor questionnaires to a standard, right? Whether that’s NIST 800-53 low or moderate, depending upon how large of an organization they are or the NIST CSF, right? Those are common areas that provide controls and safeguards that we can pose to our customer that will actually give us good insight into how mature, you know, the maturity of their security program, right, and the effectiveness of their program as well, right?

The other thing that, you know, we typically look at is really, you know, with that profile, what certifications do they carry, right? Those types of things can be asked right up front, you know, as you’re onboarding into the organization.

The attestations are annually, so, you know, that’s going to go into the ongoing monitoring program as well, right? We’re going to want to look at all that stuff.

Jordan Eisner: That itself creates layers, okay, right? Because what type of certification, who is the auditor, what’s the quality of that auditor, how long, you know, was the period of testing, I mean, and so on and so on. I mean, it can really spider web, right?

Steve Haley: It can, and I don’t think that just obtaining an attestation or a certification is the end all to be all, right? I think organizations still need to go through their due diligence on their own, you know, to validate additional benchmarks that they want to obtain as evidence, right, to ensure that that vendor actually, you know, meets the criteria that they’ve defined and the risk tolerance that they have. And so, you know, a lot of that is really that evidence is policies and procedures, attestations, it’s incident response and communication, very, very important, right?

You know, incident response and communication usually falls into the regulatory stuff as well. It’s not part of anyone’s program, but, you know, if you look at the SEC rules, right, there’s so much time, you only have a certain amount of time to be able to report a breach, right? And if your third party can’t apply with those type of timelines, then you’re not going to be able to comply with those timelines, and then you’re the entity that’s going to get fined, right?

So there’s a lot to consider as you start looking at the evidential stuff that you’re collecting and does it meet, because there may be some type of mitigation function, right, that needs to be put in place if it’s a critical vendor that is required for the business, right? There may be gaps, and again, that’s where the mitigation kind of component comes in.

If they’re developing software for you, right, you got to make sure that you’re collecting, you know, the appropriate stuff. Are there people trained appropriately for secure coding best practices?

Jordan Eisner: So it sounds like a baseline of applicable compliance or regulatory certifications or frameworks is a good starting point, but can’t stop there. You know, you need to have additional customize with your business in mind and the type of vendor in mind based on their profile from a questionnaire you put together, additional steps or, you know, I guess don’t cross this line type requirements that, okay, you’ve got a SOC 2, that’s great, or you’re certified against this, that’s great, but based on this sort of thing, we really want to see X, Y, and Z as part of your security program.

Steve Haley: It’s an additional layer of assurance to the organization when they’re dealing specifically with the critical vendors, right?

And when I go into organizations and my team goes into organizations and we’re consulting with implementing, you know, third-party risk management programs or helping organizations enhance them, we always want to start off with, let’s just say, you know, we don’t need a full SIG, right? That’s a thousand questions, right? I’m a fan of keeping it right sized, if that makes sense, right?

And you start off with a baseline, let’s for an example, say a hundred questions that you’re asking your most critical, you know, vendors, right? Those that are tiered in the critical bucket. You know, you may pair that down to 50 in your moderate. Less risk, tolerance is less, the likelihood of an impact from them is less. They may not have access to sensitive data, but there’s still core functions of the security program you want to get insight into.

Jordan Eisner: Tell me how I’m tracking so far. You should have a third-party vendor risk management program. A, that’s easy, low-hanging fruit. How you implement this program should be based on starting with policies, organizational governance on what is an effective program based on the business we do and the type of vendors we’re onboarding. And what rules are we going to play by ultimately or govern ourselves and our relationship with them by.

Then from there, develop some sort of questionnaire to tier the vendors coming in, right? High, medium, low risk or big, small, large, or critical, not critical based on what they’re doing and then establish some baseline. Well, we’ll accept these sorts of certifications or compliance attestations on their behalf, but then based on the tier or the size or the structure or the scope, here are additional lines of questions could be as little as, you know, a hundred more questions or less than that or bigger and bigger and bigger based on the criticality, the impact and the risk.

So, then the big piece after that and probably a good closing point is, done all that, that’s great, built a program, we assess them when they come on. How does this become a living, breathing program that’s adaptive, right? That continues to monitor them as they change and the organization change. That seems like a difficult task.

Steve Haley: It can be a very difficult task. There’s one component in the overall program that we need to discuss that wasn’t brought up, which is really the contractual side, right?

After you go through that and you’re going to onboard, contracting is critical. This is where the legal entity of the organization has to play a role as well, right? Like I said, it’s organizational-wide.

You need to make sure that you have the right language in your contracts to manage the expectations with the entity that’s being onboard, right? The vendor.

You know, things that you may want to consider in that is language that centers around and this is part of the monitoring program is that you will conduct an annual risk assessment against them based upon the questionnaires that you provide, right?

Another area is what are the security and compliance requirements? If you’re SOC 2, we expect you to maintain your SOC 2 certification annually. We would like a copy of that. Those are things in the language that protect the organization, you know, in the contracts, language in the contracts that can protect the organization as well as, you know, incident response and breach notification. I talked about that kind of with the SEC rule. Very critical.

If you’re on a four-day clock to be able to notify, you know, the SEC that you’ve had a breach to a third party, you may want to back that down to the third party has 72 hours to notify. You need some runway there. And then termination clauses if they don’t, if they’re non-compliant. Those are things that you got to be ready to address in contracts.

Jordan Eisner: And another factoring component to have to manage on an ongoing basis too.

Steve Haley: Correct. So it kind of, I just wanted to get that in there real fast.

So when you’re building out your monitoring program, now there are companies out there that can assist you with monitoring, you know, your third-party entities, right? Like BitSight, Security Scorecard, Black Kite, we’re a partner with Black Kite. I really like them.

You know, I use them in the vCISO because it gives me great insight into, you know, the external areas that I can focus on to really gauge the maturity of the organization. And it gives me a score on that and it covers 20 different areas.

And there’s a lot of organizations that will use those tools to monitor usually critical vendors. You know, but that’s not the end all be all either, right? They still do the annual assessment. They still make sure that they fit into their organization’s risk profile or tolerance, right?

You know, again, making sure that you get awareness of things changed in the organization. And again, another contractual language thing you may want to include that if they go through significant infrastructure changes or, you know, they’re moving, let’s just say services out of the data center up to one of the cloud providers, right? You want to be have some type of awareness and keep that communication going with the vendors. So, you know, the organization can react to the vendor making those changes and be aware.

You know, the other thing is periodic audits. Always want to make sure that you do periodic audits. Typically most organizations would do it annually. There are some instances where we’re starting to see semi-annual audits that may be pared down a little bit just to do a spot check, see how things are going.

Jordan Eisner: Not as deep, but more often.

Others is, you know, if your third-party is providing, you know, external services or pass-through services, you may want to, you know, you may want to implement a vulnerability assessment and penetration testing and do that annually too and get some additional insights into, you know, the health of their application and what is it being exposed externally. You know, there could be ports and services that, you know, could leave them vulnerable.

You know, in information security, more eyes on things is a lot better than less eyes. What I’m saying is, is sometimes somebody else who’s not so close to it can see something that others don’t. Because at the end of the day. That’s why we work here. At the end of the day, we’re all in it together, to be honest with you, right?

And I think really a really critical area is really internally, you know, creating risk reporting based off of those vendors or multiple vendors, you know, that gets cascaded, you know, throughout the organization. So if things change, you know, people in the organization, those that may be senior to you, like, you know, CEO or, you know, the entity in the organization who owns the relationship with the vendor gets awareness that their posture has changed.

And again, having those open conversations when that happens is critical, right? Because, you know, at the end of the day, we’re entrusted with the data, our customers data, our corporate sensitive data, right, and being proactive as opposed to reactive is a good way, you know, to be able to get ahead of that.
And again, like you said, it’s really it’s defense in depth. At the end of the day, there are multiple layers here.

Jordan Eisner: Yeah. And I it’s just speculation because I’m not an executive of a big company with, you know, big vendor network, but I would imagine that the struggle day in and day out is, well, how much money do we throw at this? How much of our revenue goes towards this and where’s the balance of defensive and offensive and what’s the right fit?

Because somebody said it once I forgot the quote, but ultimately has to do with it’s a great security quote basically about, you know, the cost or something. It’s always too expensive until it’s not so correct.

Steve Haley: You know, unfortunately, most companies that go through a breach, those smaller or medium companies that have a breach, whether it’s through their own or through a third-party, you know, struggle to recover from that and some don’t.

So what’s the cost of your reputation? What does your reputation mean to you?

Jordan Eisner: Obviously, I would say it means the world, but that’s why there’s budgets and that’s why there’s allocation and this goes here and this goes there and it’s a lot to run the machine.

But I think that’s a great stopping point because what I would leave our audience with, our viewers and our listeners is there are many layers and you can go deeper and deeper into each of these components and each of these topics that Steve has discussed here today. And it’s about building the best mousetrap for your company. And that’s going to be different everywhere.

And so customization, adaptation, constant innovation on it are just important factors that have to be part of it. And that’s going to require technology, but people a whole lot.

Steve Haley: So you just brought up a really key component that I wanted to touch on right at the end was the last component that you want that’s critical is to review your program annually as well and to mature where it needs to maturity. It’s living and breathing.

Jordan Eisner: Yeah. Easier said than done. So, well, Steve, thanks for coming on for our audience. If you’re interested in asking questions, learning more about this, how CompliancePoint helps with third-party vendor risk management, the design of programs or the ongoing maintenance of programs, please don’t hesitate to reach out to Steve or myself. We’re both on LinkedIn. You can email us first initial last name. So SHaley@compliancepoint.com or JEisner@compliancepoint.com and you can email in just generally to CompliancePoint at connected@compliancepoint.com. We would be more than happy to field your questions and concerns until next time. Thank you, Steve. And thank you.