Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

9/17/2019
02:45 PM
Joshua Goldfarb
Joshua Goldfarb
Ask the Experts
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Any Advice for Assessing Third-Party Risk?

Here are five tips about what not to do when assessing the cyber-risk introduced by a third-party supplier.

Question: What are some important points to consider when looking to improve my third-party risk assessment function?

Josh Goldfarb, independent consultant : Most businesses work closely with and rely on third parties, suppliers, and vendors to help them accomplish their business objectives — but while third parties can provide many benefits to a business, they can also introduce risk.

So it’s important to holistically assess your third-party risk regularly. You should begin by prioritizing your risks and tailoring your third-party risk assessments accordingly. 

Here are a few things you should not do: 

  • Don't be afraid to have multiple questionnaires: Assign risk assessment questionnaires to each party based upon the size, type, criticality, and data sensitivity for each vendor.
  • Don't trust the answers you get: Leverage technology to verify and validate responses and to check that required controls are actually in place.
  • Don't end the process at the assessment phase: Build a work program for each vendor to bring them in line with your expectations.
  • Don't forget to measure: Each assessment should result in a tangible risk score that you can use to assess your exposure across individual vendors, various different segments of the supply chain, and the supply chain as a whole.
  • Don't stagnate: Remember to continually review your third-party risk assessment function amid evolving priorities, identify weak spots, and work to strengthen and improve them.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PattiDegs
100%
0%
PattiDegs,
User Rank: Apprentice
9/17/2019 | 4:24:06 PM
Assessing Third Party Risk
How about instead of doing useless questionnaires, hold your vendors accountable to their contracts by making them sign and agree to what you need from them in a security addendum? Takes way less resources than going through useless vendor audits. Then audit only high risk vendors to what they agreed to do or have in place and are liable to in the contract. No one has the resources to audit all their vendors. 
Cartoon Contest: Second Wind
Flash Poll