This blog is the third in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls, such as assessing compliance with regulations, vetting third-party security practices, and establishing data breach and cyber exploit incident response procedures. While the complexity of cyber risks intensifies, together with an increasingly challenging privacy and security regulatory environment, the overall maturity of third-party risk management programs is barely keeping up. Resource constraints, a lack of standardization of risk assessment processes and the difficulty of determining the “source of truth” of data held by third parties continue to dog many organizations.
Part 3 – Evaluating and Vetting Third Parties’ Security Practices
It’s not uncommon for organizations to have hundreds or thousands of vendors or third parties with access to personal and sensitive information, or that provide critical services. Attackers may not need to breach a well-protected internal server of your organization if the same information is not protected consistent with your organization’s security requirements. If a third party is given some level of trusted access to internal networks, it might be easier for a hacker to simply compromise the third party and then use its privileged access to break into a network containing the target data the hacker wants to steal, or to otherwise cause damage. For example, last year, Krebs on Security reported that hackers used the internal systems of Indian information technology (IT) outsourcing and consulting giant Wipro as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.
In Part 1 of this series, we discussed the importance of organizations identifying all their vendors and other third parties, together with their subcontractors, that store or process sensitive data or provide critical infrastructure or operational support, and subsequently assessing and prioritizing the level of risk associated with such vendors and third parties. This is not always an easy task, as many organizations do not have a centralized vendor management system or single point of procurement for their suppliers, so conducting an enterprise-wide outreach to various business units and divisions to obtain this information may be necessary. Once this identification process is completed, organizations must establish criteria for assessing the risk these third parties pose to the organization. In general, there are two types of risk to be used in this risk assessment: inherent risk and residual risk.
Inherent risk represents the amount of risk that exists in the absence of a third party implementing necessary controls.
Residual risk is the amount of risk that remains after such controls are accounted for.
As an example, a truly inherent risk would assume that a third party conducts no employee background checks or interviews and there are no locks on any doors. The presence of residual risk in this example means that even if employees are properly vetted and locks are placed on doors, the inherent risk is reduced, but residual risk remains, namely, that employees may still attempt to conduct malfeasance, or a burglar could pick the locks.
When applying these concepts in evaluating the data privacy and security risk posture of an organization’s third parties, an organization must initially establish a baseline set of controls and processes that it expects the third parties to meet, which should align to the organization’s own internal requirements. These third-party obligations may vary depending on the inherent and residual risk that the third party presents, so an organization should categorize its third parties based on those risk levels, such as high, medium or low. For example, an organization’s groundskeeper would likely have a lower risk rating than the payroll processor, which has access to sensitive financial information of employees.
A daunting challenge for many organizations is establishing the appropriate risk criteria for third parties that fall along the broad risk spectrum. Some examples of risk criteria an organization may want to consider are:
- What is the financial impact to the organization if there is a disruption of services from the third party?
- Does the third party have access to the organization’s internal IT network?
- Does the third party have access to merger and acquisition data?
- Does the third party have access to sensitive personal information, like Social Security numbers, credit card numbers, drivers’ license numbers or protected health information (PHI)?
- How many sensitive records does the third party store or process?
- Does the third party develop customized software or applications that will be installed on the organization’s systems?
- Does the third party have unescorted access to the organization’s premises?
- Does the third party host applications or websites using the organization’s domain or that can gain access to sensitive data?
- Is the third party subject to applicable data privacy and security regulations, and if so, is the third party compliant with them?
- Does the third party have the financial strength to absorb the risk of a data privacy or security breach?
Organizations that are subject to federal, state and/or international regulations may need to include other risk criteria that are specific to those regulatory mandates.
Surprisingly, many organizations are unaware of the answers to the questions above, so a process of creating and disseminating data privacy and security questionnaires should be established. Organizations will then need to determine when and how frequently these questionnaires should be completed by third parties, taking into account the use of new products and services from the third party subsequently used by the organization, changes in the types of data or internal system access the third party has, or new privacy and security laws and regulations that now apply. Depending on the risk level of the third party, does the organization want the right to conduct audits of the third party’s privacy and security controls? Do the organization’s written agreements with the third party permit such audits? Once the responses to the questionnaires or results of the audits are received, how will the organization treat variances from the expected requirements? Which ones are most critical? Can the organization work with the vendor to mitigate these variances, or do they pose too much risk to continue the relationship? Who within the organization has the authority to make these decisions?
Creating a third-party risk evaluation and vetting program can be a challenging process, requiring the input and participation of various departments within an organization. For more information on how to create or improve this program within your organization, contact the author.