Did you know that 63% of data breaches are linked to third party access, and this number is on the rise? This presentation explores the increasing priority of Third Party Risk Management (TPRM) in today’s marketplace. Learn why TPRM should play a critical role in your overall Corporate Risk Management Strategy and best practices for how to implement a successful TPRM program in your own organization.
3. Hello!
I am David Ksiazek
Security Services Director at Alliance Technology
Group
@davidksiazek
david.ksiazek@alliance-it.com
4. My Background
▪ System Administration
▪ SQL Development
▪ IT and Internal Audit, 2003-2010
▪ IT Security, 2008 – Present
▪ Worked on team that wrote FedRAMP HIGH
Baseline
7. Collaboration
▪ Collaboration and specialization is driving
organizations to connect business processes and
therefore IT systems more closely.
▪ Seeking:
▪ Expertise
▪ Economic Advantage
9. “…But I outsourced to transfer the
risk…to make it someone else’s
problem...
10. Outsource Risk
▪ Organizations still bear risk even when outsourcing,
and especially when integrating:
▪ Supply Chain
▪ Financial Risk
▪ Reputational Risk
▪ Service Delivery Risk
▪ Regulatory Risk
▪ Information Security
Risk
12. Two Models for Third Party Risk Management
(TPRM)
Decentralized
▪ Individual functions conduct specialized analysis
▪ Relies on internal information collection, sharing, and coordination
▪ No centralized vendor servicing; Vendor Contact may have 2-5 organizational
contacts to work with individually
▪ Does not require dedicated organizational headcount
▪ Often performed with Excel, Word, and e-mail
▪ Timelines and risk treatment can be uneven, as the resources performing the
analysis have day-jobs in addition
13. Two Models for Third Party Risk Management
(TPRM)
Centralized
▪ Often aligned under procurement or IT
▪ Coordinates Standards internally among various functions
▪ Acts as a central point of collection, reporting and servicing
▪ Can still utilize individual organizational functions for risk analysis
▪ Often requires dedicated organizational headcount
▪ Requires some system or IT infrastructure
▪ Timelines are more uniform
▪ Risk Treatment is approved and often uniform across all analysis
14. Third Model for Third Party Risk Management
(TPRM)
Hybrid
Hybrid model uses Silos of Centralization
▪ IT collects system data
▪ Purchasing contract or SLA data
▪ Finance collects financial data
And they all agree to pretend that they will talk to each other frequently
and openly
(OK, sometimes I lie a bit…)
16. On-Site Visits
69.5%
In-house Internal
Audits
62.7%
Control Self-
Assessments
39.8%
Remote Assessment
w/ Direct Access
22.9%
Desktop Audits
22%
Note: The current mix of Internal controls to detailed transaction testing is
estimated at 80/20
18. TPRM is a Lifecycle
Selection Onboarding Management Renewal Termination
19. The Lifecycle in Depth
SELECTION
Choosing what vendors to
assess from the universe of
vendors
▪ Most come from business
unit requests for specific
vendor
RENEWAL
▪ Use collected information
over previous period of
performance in contract
renewal process
▪ Reassess vendor risk prior
to this effort
ONBOARDING
▪ Assess
▪ Rank
▪ Execute Contract
TERMINATION
▪ Process of orderly separation
▪ Knowledge Transfer
▪ Return or destruction of
information
MANAGEMENT
▪ Monitor Compliance
▪ Update Documentation and
Certifications
✓ SOC Reports,
✓ Audit Reports,
✓ Licenses or Certifications
21. Vendor Interaction Tips
▪ Interact with Vendors early and often
▪ Vendors should have an idea of the overall process
▪ Introduce Vendors into the RMF process and discuss the
process, the framework and what happens when controls
not in place (sanctions)
o Much of this should be spelled out in a contract
▪ All communications should be in context to the
overall process
22. Introduce Vendors
into the RMF process and discuss the process, the
framework and what happens when controls not in place
(sanctions).
Much of this should be spelled out in a contract.
23. Vendor Categorization Tier Model
Tier 1
Strategic Partners –
integrated business
practices and mutual
product/service feedback
Tier 2
Material Vendors – Vendor
product or service is
commodity but is often
unique to Vendor and is
significant to Organizational
Goals and Success. Material
Vendors often
Tier 3
Vendor - Commodity
product or service
potentially available from
multiple vendors
Tier 4
Low Priority
Assessment Scope and Frequency
Categorization should drive the level of standards compliance required
More important/strategic relationships should equal more Risk Management and Compliance
25. Standards Use a common or at least coordinated set of TPRM standards
across all business units.
Organizations are encouraged to assess across both industry
specific standards such as HIPAA (healthcare), PCI (Retail) as well
as general standards such as ISO27001, NIST SP800-53, or COBIT
In addition to functional standards for processes and technologies,
consider monitoring for the governance risks such as Financial,
Reputational, and Regulatory, Code of Conduct, and Ethics,
Standards requirements are best adopted and required at the
highest levels of an organization.
26. Roughly one-third of organizations use an existing ERP system
module to manage TPRM
The remaining two-thirds using either a general or third-party
specific risk management package, or multiple systems and manual
processes.
Small organizations can use Word, Excel, and e-mail, but…
THIS DOES NOT SCALE
Better to use these tools for initial efforts or for mocking up the
process and content, not production.
Tools
27. Include the following in the contracting:
Risk Management requirements and provisions
Service Level Monitoring
Use Incident Reporting to record instances when Service Level
Agreement Terms and Conditions are not met.
Contracting
28. Start with the end in mind by looking at the information the business
needs to operate effectively, and work backwards towards compiling,
and implementing the collection of that data
Reporting
Aside from internal RMF compliance:
News – LexisNexis support is invaluable
Tier 1 – Who are their suppliers? Monitor them as well
Breach Incidents
Regulatory Actions (OFAC, SEC, FTC, FCPA)
Monitoring