CTPRP
Each TPRM lifecycle component is based on the concepts of ....
"Plan," "Trust," "Verify," and "Evaluate"
TPRM Foundation
"Trust, but Verify"
Monitoring is an element of the
"trust, but Verify" model. it is designed to maintain ongoing awareness to support organizational risk decisions.
ERM is...
"umbrella" risk governance structure. It is designed to meet company goals and objectives, establish trust, and is aligned to company mission, vision, and culture. It also defines risk mitigation approaches based on each type of risk, and its governance model is adjusted based on changes and is communicated to the enterprise.
Virtual Assessments
- Like an onsite review, virtual assessments are a "Hands-on" type of engagement. A virtual assessment is a collaboration method of providing an efficient and cost-effective way of evaluating a Third Party's controls. - it reviews the same controls as an onsite assessment - Just like workers perform their jobs virtually from home, the Outsourcer and the Third Party collaborate online without traveling to the physical location. Controls can be evaluated virtually via evidence libraries. - Collaboration tools can take the assessment from the conference room to online. Documentation and artifacts used in the assessment can be controlled and limited via secure online data rooms.
Outsourcing Activity?
- What is the amount of risk being carried? - How does that compare to the organizational risk capacity?
Amount of Risk being Carried
- What is the existing organizational risk capacity? - What is the concentrated risk in the combined "full book of risks"? - Will the residual risk from a potential Third Party make a material difference in that full book of risks?
Basic Steps in the Process.. In the Risk Rating process:
1. Apply the risk ratings of outsourced services to your vendors to create vendor ratings. 2. Establish a risk score hierarchy for critical, high, medium, and low risk services. 3. Establish weighting for key risks; recognize that data risk may carry a higher ranking than availability. 4. Apply ratings to vendors. 5. Use vendor ratings to prioritize assessments. 6. Validate ratings when vendors are reassessed.
Elements of a Cloud Computing Control Assessment: It is important to know the cloud lines of delineation. To determine who is responsible for the data at various stages and locations, think about the following:
1. Performing a review of external audit attestation reports 2. Understanding the governance model; what is the structure, ownership, and accountability? 3. Having security services documentation 4. Confirming what logging and monitoring is in place 5. Confirming the level of monitoring of configurations that occur to identify changes in the environment 6. Having image snapshot approval and management processes 7. Determining software patching responsibility
Education events can be focused and topic-specific. A good program can run in ..
20 minutes or less and should be tracked for attendance or receipt. Testing the behavior of employees can be done via piggy backing or testing how employees handle emails. As new threats or vulnerabilities are identified, training and awareness campaigns should be updated to reflect how to address the risks.
The response rate for "who clicked" on the link can be tracked by user, department, or function. Organizations tend to expect a click-thru rate of between ______. Organizations that see fewer than ___ of employees' responding is considered good. In general, phish testing and social engineering testing can only be a measure of the effectiveness of training.
20% to 60%. 15%
Managing Fourth Parties
A Fourth Party is a vendor's Third Party or subcontractor and is vulnerable to the same risk as the vendor. Outsourcing organizations need to define the parameters to authorize any downstream outsourcing or subcontracting. These contractual obligations may need to be extended to the vendor's vendors. Outsourcers should inspect their vendor's TPRM program for adequate vendor risk assessments. It is important to establish standards and contract provisions specifically addressing vendor outsourcing (Fourth Party vendors). These can include requiring prior notice, permission, and a performed risk assessment prior to providing access to data or systems; periodic risk assessments; and evidence of a TPRM program.
Definition of Standards
A Standard is clearly defined, rigid, and universally accepted as the best method for addressing a specific topic. Within a standard, there is typically one accepted way of accomplishing the task.
Data Governance
A Third Party that is entrusted with your organization's data should have controls to manage the lifecycle of your data. Assessments focus on data that is involved in the outsourced services, called "Target" or "Scoped" data.
Community Cloud
A community cloud provides a cloud solution to a targeted community of limited users with similar requirements who work collaboratively to govern, manage, and secure the solution.
Securing Web Applications
A critical element in effectively managing application risk is the identification of the authorized users, systems, and devices. With access controls you can do the following: Use robust authentication Use group profiles for access Conduct periodic user access reviews Ensure appropriate logging of access and events Monitor applications for alerts or anomalies
Mitigating the Risk of Business Disruption
A documented business continuity and disaster recovery program, along with related policies should be approved by management and communicated to appropriate staff. Program reviews should include the following components:
Definition of Frameworks
A framework is flexible and allows for adaptation. Frameworks outline a broad perspective of interlinked items in a field of practice.
Server Security
A key starting point to server security is understanding the environment and whether the target systems are using server virtualization. Assessment of the key risk components will include understanding the system types (Windows, Unix, Mid-Range, Mainframe, Virtual), system operations, system hardening, and roles for security operations.
Reporting and Re-Assessments
A mature and effective Third Party risk assessment process includes periodic review to identify improvements to the program
Repeatable and Reliable Process
A repeatable and reliable process should be established for identifying and categorizing Third Parties. Once established, this process can be used to keep vendor records up-to-date and to create records for new Third Parties as they are brought onboard.
Vulnerability Assessment
A vulnerability is a weakness in an information system, system security procedure, internal control, or implementation that could be exploited by an external threat source. A vulnerability assessment is a structured examination of systems and applications to identify, quantify, and prioritize the security deficiencies in the systems.
Management Oversight
Ability to identify, measure, and monitor Third Party risks Agreement on key control activities Effectiveness of risk monitoring systems Timelines of corrective action Adequacy of contracts Alignment with IT strategic plans
Common Challenges in achieving business resilience include the following:
Absence of Enterprise Risk Management to provide oversight of the different functions Incorrect organizational mindset to differentiate resilience and business continuity in order to provide both short- and long-term strategies Inefficient organizational structure that focuses on tactics vs. strategic goals; resilience is not just a security or technology function, but a risk management function Incomplete or inaccurate mapping of end-to-end business processes and required assets to enable those processes Inefficient and ineffective oversight of Third Party relationships Failure to understand all risks associated with the extended enterprise
Components of Tiered Due Diligence
After risks are identified and the vendor has been assigned a risk rating, the TPRM program should define the scope and components of due diligence that are required. The next steps in the overall vendor risk assessment program are to identify and define the depth and type of validation to be performed in order to evaluate the control environment.
Business Ethics and Corporate Compliance
Anti-bribery, anti-trust, anti-money laundering, anti-theft, anti-fraud, financial crime, whistleblower, compliance checks
Convenience
Any party can exit without a reason that is based on a better arrangement or opportunity. This is often requested by outsourcers.
Metrics Tracking
Assessment volumes Findings tracking Risk tracking
Starting Point
At each step in the process, ask yourself the following questions:
Key Concepts in Access Control
Authentication, Least Privilege, Segregation of Duties, Role-Based Access, Password Controls, Privleged Access, Remote Access
Program or Portfolio Level Reporting: Budgeting
Average cost of an assessment (by tier) External assessment budget Travel costs Personnel Training
Due Diligence Processes
Best practice dictates that the allocation of due diligence resources be based on the relative risk of each service throughout the relationship. This approach helps ensure the process is practical, sustainable, and defendable. Different levels of continuous monitoring can be appropriately applied during all phases of due diligence.
Specific Job Requirements
Specific job roles may require different requirements. For example, certain financial roles may require different standards for credit worthiness as compared to hourly roles in a call center. Jobs that require workers to operate equipment may have different screening for a drivers license or driving violations. These industry examples may include drug testing, credit checks, finger printing, and sanction checks.
Background Check Standards and Criteria:
Standards, Components, Specific Job Requirements, Global workers
Within TPRM, it is common for technology controls to leverage _____ , and risk management functions to leverage ____ to frame the requirements
Standards; Frameworks
Contract Provision Inclusion
Steps to take when establishing a process to ensure that the inclusion of contract provisions is consistent with vendor risk classifications and rating. 1) Validate: Validate that contracts are aligned with vendor risk classifications and ratings 2) Establish: Establish standards for vendor risk tiers and classifications based on corporate risk tolerance 3) Document: Document criteria so that the assignment of vendor risk classification is consistent 4) Include: Include contract provisions that define the level and type of assessment and the permitted frequency of assessment 5) Ensure: Ensure that validation of vendor risk classification is included in periodic contract reviews
Strategic sourcing
Strategic sourcing is an organizational function that focuses on indirect goods and services, developing channels of supply at the lowest total cost, not just purchase price.
Rating Levels
Supplier Basic Important Critical Tier 1-X Low to High
Environmental, Social, and Corporate Governance
Sustainability; diversity, equity, and inclusion; energy and climate; modern slavery; ethical sourcing; fair labor; corporate social responsibility
Judgement
TPRM requires strong analytical and systems thinking to enable risk-based decision-making
Changes in Employment Status - 6 terms to be familiar with
Terms and Conditions of Employment Separation Procedures Off-Boarding Process Confidentiality Requirements Return of Assets Hostile and Non-Hostile Exits
Negotiate
The Assessee and Outsourcer negotiate action plans as part of remediation planning.
Each assessment will identify the types of documentation or compliance artifacts that need to be gathered prior to the onsite or virtual assessment.
The Assessee or Service Provider is best equipped to identify which artifacts can be sent in advance, which items are restricted, and can identify those differences on typically a checklist that is returned to the Outsourcer or the Risk Assessor.
Defined Continuity Strategies
The BCM should define the approach to recovery and options available to minimize disruption. Strategies should address technology, personnel, data business processes, and specific facility requirements. Each strategy should be reviewed to determine the ability of the approach to meet the stated goals for recovery of operations.
Personal Data
The General Data Protection Regulation (GDPR) defines "Personal Data" as any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier. This includes a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Amend
The Outsourcer may engage legal counsel if contracts need to be amended or to assess legal implications of remediation plans.
Approve
The Outsourcer, SMEs, and business decision makers should review and approve remediation plans.
Reliability Risk:
The TP may not be able to adhere to an expected or contracted level of service
Performance Risk:
The TP may not be able to meet its obligations due to inadequate systems or processes
TPRM Roles
The TPRM roles build, operate, and measure the end-to-end process for managing Third Party risk within the organization. The TPRM program roles report on the overall program while assessor roles report on the results of a specific engagement or assessment.
Software Solutions for Process Automation
The assessment process, which includes scoping; communicating with vendors and service providers; sending and receiving questionnaires and artifacts; reviewing and scoring questionnaires; and tracking issue status can be time consuming for all participants. TPRM software, such as Governance, Risk and Compliance (GRC) software, can often automate several of these steps. Software solutions are designed to automate the distribution of assessments; collection and analysis of responses; and report on overall risk and program metrics.
Key Highlight
The development of an effective risk appetite framework is more effective when the board and governing committee, management, and business segments work together to develop an organizational risk appetite statement.
First, Second, and Third Category of Factors
The first category is something the user knows. For example, a password or PIN. The second category is something the user has. This could be an ATM card or smart card. The last category is something the user is. This may be proven with a biometric characteristic such as a fingerprint. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute MFA.
Level of Confidentiatlity
The level of confidentiality is assigned to the data based upon a hierarchy in data classification. It includes: Public Internal Confidential Sensitive Restricted
Monitoring Systems
The monitoring and intrusion system may include security guards, alarms, and barriers.
Outbound Supply Chain
The outbound supply chain is the post-production delivery chain for final products and services and would include all the vendors, products, processes, data, and operations that the Outsourcer uses to get products and services to retail, wholesale, and end point users.
Comparing Vendor Management and Vendor Risk Management
The point-of-view on roles and responsibilities between vendor management and vendor risk management are often misunderstood. Let's look at both the similarities and differences.
Purpose of an Assessment
The primary purpose of a Third Party risk assessment is to identify the inherent and residual risk that exists by doing business with the Third Party. The process should identify if there are any gaps in the controls that will conflict with policies. The goal of assessments is to ensure the organization is aware of any absent or failing controls that do not meet the standards set in place.
Private Cloud
The private cloud operates within the confines of an organization's firewall. This is known as "enterprise cloud hosting." a private cloud is a service that is completely controlled by a single organization and not shared with others.
Incident Identification
The process of incident identification involves indicators and analysis. External indicators may include customers, law enforcement, credit card organizations, or industry organizations. Internal indicators may be triggered by user contact to a help desk; IT operations following up on patterns or anomalies; or follow-ups to security operations based on alerts from events via security devices and network activity.
Public Cloud
The public cloud offers solutions to external users to achieve economies of scale and resource sharing in any vertical or jurisdiction where services are shared. There may be no guarantee on where data is stored. While a public cloud is a subscription service that is also offered to any and all customers who want similar services.
Managing Remote Access with a Zero Trust Approach
The rapid shift to remote work, due to the pandemic, has accelerated the focus on managing internal networks, use of cloud services, enabling remote or mobile staff, and managing access to remote vendors
Assessment Reports: Key Point 1: Know the Assessment Firm
The reader of any assessment report needs to have confidence in the credentials of the assessor.
Regulatory Change Management: But how is a company supposed to implement programs or processes to meet these obligations?
The regulatory change management program should define the tools needed to monitor changes; the roles and responsibilities for research and analysis; and how results are shared with management.
5. Post-Assessment Monitoring
The results of the assessment and the overall risk posture of the Third Party should determine the level of post-assessment monitoring.
Risk Awareness Reinforcement and Education
The role of training and education is communication-oriented as it relates broadly to risk management (including TPRM) and risk culture development. The type of training should provide context for the specific environment in which the organization operates and the evolving nature of the environment.
Second Line of Defense
The second Line of Defense is comprised of the groups within the company who provide risk oversight (risk management, compliance, legal, etc.) These groups establish the policies, procedures, and controls for managing risk and provide oversight and guidance for the first line
Third Line of Defense
The third Line of Defense consists of the independent assurance providers - internal/external audit. These groups provide validation for the risk and control assessments established by the second line, testing them as appropriate.
Pandemic Planning Practices
There are key differences in the approach to pandemic planning and traditional business continuity planning. While various natural or man-made disasters vary in severity, and may not be predictable, they typically are limited in scope or short in duration. In contrast, the impact of a pandemic is harder to determine due to scale and duration. Pandemics tend to occur in waves, can span significant geographies, and have an economic impact on a global scale. Pandemics not only create business disruption but shift work, vendors, and business processes to remote settings. Your organization's BCP should incorporate these 5 elements below of readiness and preparation to address pandemic planning.
Understanding the Process
There should be a consistent understanding across the organization about the required risk management processes involved in TPRM. This includes knowing who is responsible for those processes (e.g., due diligence, flagging, and escalating incidents and issues).
Are there examples of changes that could significantly affect reputation, risk, and compliance to a company's regulatory, statutory, or contractual obligations?
There sure are! These negative affects can come from environmental, regulatory, and technology changes.
Terms and Conditions of Employment
These define the parameters for employment based on job role. They may include conditions that could require re-acknowledgement of the agreement or update to background checks.
Using Data Flow Diagrams to Set Context
Third Party --> Type of Data --> Systems; Locations; Users
Privacy and Security Awareness Training
Third Party Risk Professionals need to evaluate the maturity and effectiveness of a vendor's training and awareness program. Let's have a look at some best practices.
Policies should include technical controls for network access. This includes..
This includes firewalls, malicious code prevention, outbound filtering, and security. Detailed information may be included in the configuration standards or procedures.
Threat Modeling
This is a methodology that allows the user to systematically identify and rate the threats that are most likely to affect a system. The identification and rating of threats are based on a solid understanding of the application architecture and implementation. This allows threats to be addressed with appropriate countermeasures in a logical order, starting with the threats that present the greatest risk. Threat modeling is characterized by a structured approach that is more cost efficient and effective than applying security features in a random manner.
Authentication
This is a process to verify the identity of a user, device, or software component. Authentication is based on something you have and something you know.
Remote Access
This is the ability for a user to gain access to company assets, applications, computers, or networks from a remote location outside of the company's perimeter.
Return of Assets
This is the return of the organization's information assets (e.g., technology, documents, mobile phone, laptop, equipment, credit card, security badges, access control technologies). Bring Your Own Device (BYOD) items may require data deletion.
all methods of phishing have the same goals. ..
This is to steal personal data.
Regulatory/Supervisory
This is triggered by a change or issue with legal/statute obligations; no explanation is required.
Least Privilege
This principle recommends minimum user privileges for both physical and logical access based on job need.
Ethics and Employee Code of Conduct Program
This program may be owned by the Legal department, but operational components may be managed in HR. This program may include the following: A documented and communicated program structure and policy that is approved by management Risk assessment Independent and anonymous whistleblower reporting mechanism Standards of conduct, policies, and procedures Record-keeping obligations Disciplinary action for failure to comply with policies for employees, or as defined by the vendor agreement
Technology-based intrusion identification systems and tools may include:
Threat intelligence feeds from external data sources Intrusion detection and prevention systems for networks and hosts End-point visibility tools Data loss prevention tools Log correlation and analysis tools File integrity tools Malware detection tools Network behavior analysis system
Dashboards and Intelligence Tools
Tracking Events; Monitoring Service Agreements; Performance Measures
Understand the Business Model Context to identify specific contractual obligations in scope for each Third Party relationship. You must consider the following:
Understand roles and functions of each party to identify the Business Model Context. Determine who is the owner of the data and who simply utilizes the data. Clarify the marketing and selling roles. Identify company ownership and legal entities. Identify required contracts, agreements, and provisions based on regulatory jurisdiction. Align and conduct periodically scheduled due diligence of contractual obligations based on the business model.
Third Party Risk Management Perspectives - Different Points of View: Risk and Outsourcing Considerations
Understand the outsourcing risks from both the Outsourcer and service provider requirements.
How Important are your Vendor Services?
Understanding Availability. Availability can be defined as ensuring timely and reliable access to, and use of information. Availability is characteristic of an organization's business functions continuing to operate. In many instances, the ability to deliver services to clients is directly related to the ability to receive time sensitive data, services, and processing from key business partners.
To be effective, inventory documentation should enable:
Understanding of the Process Common Inventory Repeatable and Reliable Process
Step 5:
Update TPRM Program Key Risk Indicators (KRI) and Key Performance Indicators (KPI).
Step 2:
Update vendor profiles with findings, corrective action plans, and remediation timeframes
- New Devices, What you need to know:
Use an approval process when connecting new devices. Be sure to also implement firewall rule changes.
Verify
Validate controls and responses Risk Ratings or events dictate assessment type Pre-onboarding due diligence Perform onsite or virtual assessments
Virtual Assessments
Virtual assessments are a method of providing an efficient and cost-effective way of evaluating a Third Party's controls. A virtual assessment reviews the same controls as an onsite assessment. The First Step in a virtual assessment is to require the Third Party to complete a questionnaire. The questionnaire is designed to provide information about how they develop and maintain the protection of information assets. Assessors review "online" or acquire documentation directly from the Third Party and review it to ensure it matches the Third Party's responses and satisfies the requirements for each control. This may require that the Third Party carry a camera or take a video of the physical controls. Independent audits or reporting by assessment firms, internal audit departments, and prior assessments can be used to verify Third Party self-reported information. PCI DSS Compliance Attestation Reports or Penetration Vulnerability Test summaries provide the verify component as Third Parties have someone other than the responder assessing their risk controls.
Vulnerability Testing
Vulnerability testing attempts to identify instances where an application behaves in an unintended manner. It is a type of security testing that reviews code in order to identify instances where an application allows unintended processes to occur. Therefore, vulnerability testing typically occurs in the QA and production phases of the SDLC, where the application represents the final or near final version that will be utilized by end users. Results of security testing when the application is in its final or near final state, should be treated as exploitable vulnerabilities and remediated accordingly
Vulnerability Testing
Vulnerability testing within the SDLC process is composed of two distinct concepts which may utilize similar techniques. However, the output is managed very differently. These two concepts are defect management and vulnerability testing. Before going further, it is important to understand the distinction between a security defect and a vulnerability.
Third Party Management Team
We apply the TPRM policies and standards to conduct due diligence and oversight of risk in the third party relationships based on contractual obligations.
Security
We ensure that required security information and data protection contract provisions are in place and that security requirements have been provided and agreed to between parties.
Procurement
We handle the set ups, quotes, purchase orders, payment authorizations, and settlements
Appropriate Use
When companies use data or information that is provided or entrusted to them, the data should be used according to the agreed upon purposes, and for no other purpose. This is appropriate use.
Compliance Artifacts Review`
When reviewing compliance artifacts, think about what must be retained, or only viewed. When documenting the results, review the process without opining on the quality of the documents. Be sure to include dated references.
The vulnerability management program should define the roles for accepting or mitigating an identified vulnerability. Management has the accountability to document the rationale for either taking action or not taking action. The organization should identify:
Who documents the decision to accept the risk? Who assesses and documents the level of risk of the vulnerability? Who identifies any mitigating controls or factors? Who identifies the role and person accountable for accepting the risk
Assessment Logistics:
With Pre-engagement planning, there is list of 7 elements that you must take into account
External Assurance Reports
With external assurance reports, the Service Provider provides evidence and external assurance reports that are relevant to the locations and services provided.
The Importance of Training and Awareness
You must define and communicate vendor risk management policies to stakeholders, including the definition of a communication plan to communicate policies and procedures to personnel.
Third Party Identification: Who are they and what do they do?
You need to ask yourself these questions: Who are my Third Party service providers? What services do they provide? What data and systems do they have access to?
On-Site Assessments
You or your representatives conduct a physical assessment of the Third Party's risk controls. You must look beyond the existence of controls. You are actually testing that the controls are, in fact, as represented; and also how well the Third Party executes those controls. On-site assessments require long range planning with the Third Party to ensure that necessary access and resources will be available. This normally takes between two days and a full week.
1. Name and Role
You should identify all participating attendees by their name and role.
Organizations need to have clearly defined processes for identification, containment, and restoration for threats and attacks. This is especially true for....
Zero-Day Attacks. In a Zero-Day attack, there is an attack on a piece of software that has a vulnerability for which there is not any known patch. Evolving threats that a company should incorporate into their TPRM program include secure data recovery, ransomware, cybersecurity hygiene, Internet of Things (IoT), artificial intelligence, and machine learning.
The Third Party Inventory and Risk Register is ....
a shared responsibility and relationship. The key components are an inventory of Third Party relationships and the risks involved with outsourcing a specific service or activity; defining risk attributes; rating risks based on multiple factors; and creating a sum of all the risks associated with all Third Parties across the organization.
A comprehensive risk assessment program should include...
an evaluation of the types of risk; a risk governance plan that includes scoping; risk evaluation criteria; risk treatment requirements; action plans; measurements; and monitoring.
BIA should be reviewed and updated at least..
annually
Incidents
are events that are typically information technology, or driven by physical or operational failure.
Creating Corrective Action Plans involves not only...
assessment participants, but business and control owners as well
Pandemic Planning is an essential part of overall...
business continuity planning due to the possibility of a large percentage of a business' or supplier's workforce being affected at the same time and creating a significant business disruption.
Triggers for review and potential updates to contracts or template terms should be defined by..
by the organization based on relevant regulatory changes; significant changes to the risk and threat environment that results in significant incremental control requirements; and changes in a provider's scope of work.
Key Highlight: Eighty percent of hacking related breaches leverage ....
compromised credentials.
The triad
consists of confidentiality, availability, and integrity of data.
The Risk Appetite Framework is the..
core instrument for defining and aligning risk sensitivity and metrics in a specific business context across an organization
A critical part of remediation process management is to...
define the internal and external escalation process for changes in the status of a corrective action plan. Aged plans without mitigation can increase risk exposure and may require additional risk acceptance by the business.
Vendor Management and vendor risk management are...
different concepts. Both processes may influence contract provisions for Third Parties. Consider the following: Operational contract terms like pricing, service, or a performance SLA are a part of vendor management. Vendor risk management contract terms include requirements for rights to audit, notification of security vulnerability, or specific obligations for business disruption.
Your BCP should set guidance for ...
disaster recovery requirements and critical business processes. Examples include people at new sites, remote connectivity, alternative staffing pools, and alternate vendors or providers.
Monitors and controls must be established for infrastructure and the retention of evidence for access and actions. This includes the ..
electronic access control at essential ingress and egress points; the correlation of video and keycard access data; and the retention of video and logs for forensics.
Organizations should implement and maintain a formalized..
enterprise risk governance plan and a continuous risk assessment process. This will enable the organization to identify, quantify, and prioritize risks based on the risk acceptance levels relevant to the organization.
An organization hosting cloud services or a Cloud Service Provider (CSP) should have a ..
formalized information security program and documentation of its security responsibilities related to the type of service and deployment models provided.
Organizations must understand threat and vulnerability management. Understand that vulnerabilities are ..
gaps or weaknesses that undermine an organization's IT security controls and could be exploited by an attacker. Organizations must defend themselves against these types of threats (e.g., a DoS attack).
Issues
generally relate to control deficiencies uncovered during due diligence or as part of on-going oversight activities.
The Controls Evaluation Process ____ and _____ the findings of the assessment. These findings or control gaps are risk rated by severity level to quantify the risk to the organization. The risk analysis and Corrective Action Plan summarizes the identified control gaps in order to recommend fixes based on TPRM program requirements.
identifies and classifies
Understanding the data environment of the entity or services being assessed starts with...
identifying attributes about the environment where Target Data is collected, accessed, processed, or retained. Identifying the use of dedicated or shared environments and scope of international footprints are critical factors in planning a Third Party vendor risk review or vendor assessment. It is equally important for your company to know where your data is and from where it can be accessed!
BIA prioritizes the effect of a business disruption based on the ..
impact and likelihood of an event.
A Data Loss Prevention (DLP) Program is designed to..
implement policies and controls to discover, monitor, and protect confidential information in storage, use, or transit over the network or perimeter. DLP programs address people, process, and technology components.
The threat landscape can change based on the internal or external factors.. and this is why it is ...
important to have monitoring functions. Monitoring internal and external changes that may trigger the need to respond, escalate, and inform key stakeholders
Patch Management
is a function companies must do. The roles for managing patches have evolved with changes in technology. Let's look at how a company would manage devices compared to an individual.
Remediation Planning
is a negotiation between the two parties. Remediation plans should be realistic in terms of timeline and capacity for remediation
Continuous Monitoring
is a risk management approach designed to maintain an uninterrupted view of a Third Party's control posture, often in real-time.
Information Security Policy
is a set of rules that guide individuals who work with IT assets. The Information Security Policy is approved by management and serves as a foundation for the information security controls of an organization. The policy should be reviewed on a regular basis; assessed on adequacy and effectiveness; and revised accordingly. Also, the policy should be communicated to all personnel, including full and part-time employees, contractors, consultants, and temporary workers. The information security policy should also address technical components, incident handling, exception processes, and include Third Parties.
Supply Chain Risk Management
is a systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats. The objective is to protect and sustain operations by evaluating resilience requirements, service level agreements, and control objectives.
Mobile Device Management (MDM)
is an industry term for the administration of mobile devices. This includes smartphones, tablets, laptops, and desktops. MDM is usually implemented with a commercial product that has product-specific management features. It can incorporate safeguards related to, but not limited to, password controls, remote wipe, remote lock, detection of jailbreak devices, and encryption validation. MDM focuses on controlling the entire device and requires that users enroll or register their device and install a service agent.
Network Security
keep a focus on network security in order to lower the risk of an attack
An organization's risk appetite statement documents, at a high level, the acceptable...
level of risk that board and executive management agree is appropriate, given the organization's business objectives.
Consider the following end-of-life management practices:
o 1. Create and approve an end-of-life or sunset strategy for legacy systems o 2. Track changes to Third Party systems and applications and note any planned end-of-support by the vendor. o 3. Conduct periodic risk assessments to determine end-of-life for systems. o 4. Plan for the replacement process of obsolete systems. o 5. Define specific procedures for secure destruction to prevent unauthorized disclosure of information.
A formalized patch management program will contain the following:
o A monitoring function to identify the availability of patches o An assessment process to evaluate the patch against the environment o A prioritization process to determine applicability of the patch to company systems o A process to obtain, test, and install patches o An exception process to document patches that management decides to delay or not install o A process to update production environments and any locations used for disaster recovery o A documentation requirement to update related asset inventories and disaster recovery plans o A process to confirm that patches have been applied correctly
Relationship Management
o Let's put a spotlight on contract reviews. This is a cyclical review that is consistent with risk ratings. Contracts must also be updated for increased control monitoring. You can modify contracts as needed in response to improved monitoring techniques. Otherwise, it may be prohibited under the existing contract. Be sure to review the Data Protection and Security Contract requirements, exit terms, and other clauses ahead of renewal. This includes evergreen contracts needed to meet regulatory changes. o The following are key elements to consider when you are between the process of relationship management and contract termination: § Obligations management § Contract amendments § Reporting requirements § Audit provisions § Contract renewals
The structure of a compliance program is based on the following 7 core foundational elements:
o Standards, policies, and procedures o Governance model or compliance program administration o Communication, education, and training o Monitoring and auditing functions o Internal reporting systems and measurements o Discipline for non-compliance o Investigation and remediation measures
To enhance maturity of TPRM performance, the evaluation process should consider the following:
o The need for structural program changes to better manage risk oversight o The need to focus on quality versus quantity of risk reports o The adequacy of the cadence for independent risk management reviews o The ability to leverage outside assessments and to take advantage of cross-industry resources to maximize program efficiencies o The adequacy of continuous monitoring to complement proven and periodic due diligence processes o The use of emerging tools and techniques to better manage Outsourcer responsibilities in a cloud environment o Risks associated with emerging technologies
Different assessment types can be..
on-site, remote, virtual, facility tours, or Fourth Party tours.
Compliance Programs are not cookie cutter or "_______"
one size fits all. The scope, depth, and breadth of a compliance program are based on the type of organization; its business model; its culture; the industry sector; distribution channels; and even the type of products or services that are sold. Enterprise compliance and ethics programs are typically based on a defined set of values, core operating models, or principles.
Public Internal
open area of the building
Regulatory Change Managment
organizations should establish a formalized process for monitoring compliance with regulatory matters, recording, and reporting compliance issues.
While organizations can outsource actions and services, they can never ....
outsource accountability.
The data flow describes the..
people, systems, applications, and authorizations involved in the collection, use, transfer, and storage of data between parties. DFDs are a graphical representation of the flow of data in an information system. This allows the visualization of how the system operates to accomplish its purpose
This process includes the collection and review of documentation and artifacts from the Assesse. These artifacts may be..
policies, standards, or procedures, and may include lists or examples of specific control evidence. The Risk Assessor will inspect these artifacts based on their TPRM requirements and confirm that specific controls are identified. Screen shots, test samples, or evidence requests demonstrate the execution or proof that requirements identified in policies are being implemented.
A Contract Management System (CMS) ...
provides the structure for an organization to administer its contracts throughout the vendor lifecycle. A CMS complements, but is not a substitute for a Governance, Risk, and Compliance (GRC) system.
Higher risk relationships or events tend to leverage _______. Lower risk relationships may be _________ based on defined standards in TPRM policies and procedures.
real-time or annual assessments. reviewed periodically
A first step in assessing how a Third Party addresses organizational roles for security is to
review the hierarchy of the organizational chart. The critical element is to understand accountabilities and the level of empowered decision-making or position authority each role has in order to address information security risk. These roles may include executive management, Chief Information Officer (CIO) or Chief Technology Officer (CTO), Chief Information Security Officer (CISO), Data Protection Officer (DPO), IT line management, and business unit management.
Outsourcer sets.. Third Party Providers are... Fourth Party Providers..
risk appetite and ultimately bears all risks; Responsible to Outsourcer through contract SLAs; Outsourcer recourse through third party
Third Party assessments are based on the..
risk culture of the business and the level of assurance required by market, service, or customer base. Control questionnaires are the trust component as a Third Party is "self-assessing" their risk controls.
Information assets can be transmitted via many end points. And this creates..
risk for disclosure of confidential information.
When conducting the post-assessment, think about..
risk identification and reporting
Analyze a Third Party's incident management program to ensure..
security events and weaknesses associated with system assets and data are properly communicated, and that any relative corrective actions are taken.
Risk focuses on what an organization "____" do, while audit assess what the organization "__"do
should;did
Enterprise Risk Management (ERM) risk factors
strategic risks, financial risks, operational risks, compliance risk, IT and infrastructure risks, reputational risks
You must classify and prioritize all issues, and then focus on those..
that describe materials risks to the business. Be sure to validate your initial findings with management and the business unit. Put a focus on what tasks need to completed, and by whom.
- Cybersecurity Risk:
the TP may fail to appropriately manage threats, vulnerabilities, and controls which may result in loss of data
- Competency Risk:
the TP may not be able to retain skilled employees or maintain up-to-date personnel qualifications
- Technology Risk:
the TPs technology becomes obsolete, or a change in technology triggers operational impact to the company
If the Recovery Point Objective (RPO) metric does not equal the Recovery Time Objective (RTO), ..
the company may potentially lose data or not have data backed up to recover
Third Party Contract Management
the contract defines the entire relationship with the vendor. It establishes the rights, roles, and responsibilities. This includes the organization's ability to assess and require remediation from the vendor.
The termination strategy should be fair to both parties and should be established during ...
the contract process
The level of monitoring is based on the risk tier or the risk rating of the Third Party. The higher the risk tier..
the greater the degree of assurance is needed. The risk rating of a Third Party can change over time.
Data protection policies outline ...
the measures an organization takes in the processing and handling of personal data. The policies describe the scope of data, employee and management responsibilities, enforcement, and the set of safeguards that are in place to protect privacy.
The TPRM Program defines the type, scope, and level of Third Party risk assessments based on...
the organizations risk posture
Defense in Depth
the physical environment of a company's location can be viewed from a security model called Defense in Depth
Organizations should implement a formalized information security and information technology incident management program..
to ensure an effective and consistent process for managing and controlling information security or IT service impacting incidents
Remember, monitoring is designed..
to maintain an ongoing awareness to support organizational risk decisions based on defined intervals.
A TPRM program should define the criteria and events that may...
trigger the frequency or timeframe for re-assessment. The cadence for conducting or updating an assessment is based on the overall risk or may be triggered by internal or external events.
Remember, when planning for an assessment, be sure to ..
use repeatable and consistent approaches with standardized documentation request lists, questionnaire templates, agendas, and checklists. Communication is critical to ensure resources are available to respond to questions or to provide overviews of the control environment. Set clear expectations for all participants using pre-assessment meetings.
Due Diligence expectations should be established and documented..
when entering into any Third Party relationship. Due diligence communications should be maintained between an Outsourcer and a Third Party throughout the contract lifecycle. Outsourcers should utilize pre-established standards for Third Party risk tiers/classifications based on corporate risk tolerances.
Business continuity and disaster recovery testing uses ...
written plans, processes, and procedures to validate the organization's ability to resume business operations. Testing approach and frequency may vary based on the size of the organization, complexity, and nature of the business.
An assessment may be structured at a relationship level or by an actual product or service. TPRM standards and procedures establish the requirements and factors that define risk ratings. - Ask yourself the following when evaluating the actual service provided:
§ What is the type of data being handled? § What is the level of customer interaction? § What is the Risk Tier? § What is the nature of the service or processing?
TPRM Management Reporting: Reporting needs to provide management with the appropriate level of information to understand the risks associated with Third Parties. Reporting also needs to provide management with the appropriate level of information to understand the risks that Third Parties face. Levels of reporting examples:
Board of Directors; C-Suite and Management; TPRM Risk Reporting
CCTV surveillance
CCTV data should be stored for a minimum of 90 days. There should be investigations of unsuccessful attempts.
The following information shows the factors that influence the risk rating of outsourced services - Categories and Criteria for Risk Rating
Category: Data; System Access; Availability Criteria: Type, Location, Transmission; Connectivity, Remote Access, System to System; Impact on Operations, Impact on Revenue, Impact of Regulatory Compliance
Factors in Assessing Organizational Security: Information Technology functions may be centralized or decentralized based on company culture. Either approach can be effective in managing and mitigating risk. The critical factor in TPRM is to understand the interactions and structures for the various types of roles involved in organizational security functions.
Centralized Functions Decentralized Functions
Segregation of Duties
Certain jobs require that more than one person be involved to complete critical or sensitive tasks. By separating the task components, the organization can mitigate risk.
Key Rating Parameters
Classification of data provided to, or accessed by the Third Party Geo-location of Third Party, Fourth Party, and data Technology provider or use of technology to provide services Network connectivity and availability Specific regulatory compliance posture that affects outsourcing organization BCP/DR program conformance with outsourcing organization Level of financial commitment, including step-in risk for the outsourcing organization Criticality or materiality to the outsourcing organization's operation, including consideration of sole provider Third Parties
Data Governance Strategies
Client-scoped data includes any classification of company confidential information or personal data of individuals accessed, collected, used, transmitted, processed, or retained by the organization. It is extremely important to identify all instances where your data could in any way cross national borders (e.g., stored, processed, accessed, transferred). Strategies include understanding data locations and basic data flows; evaluating the scope of data transfers; awareness of Third and Fourth Party disclosures; and techniques for masking or de-identifying data.
Cloud Security Computing Service Types
Cloud computing services fall into four categories: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), and functions as a service (FaaS). These are sometimes called the cloud computing stack, because they build on top of one another.
When conducting a Third Party on-site or virtual assessment, you must understand the critical components, best practices, and lessons learned from both the Outsourcer's and the Service Provider's points-of-view. These include, but are not limited to the following:
Collaboration tools in real-time Conducting discovery Compliance artifacts review Controls evaluation Skill sets for Assessors
Identifying and Assigning Levels of Confidentiality: Commerce
Commercial organizations tend to structure their level of classification at four levels. This include: Restricted, Confidential, Internal, and Public.
Findings and Actions
Communicate findings, corrective actions, or open and contingent items that are still of concern. Discuss these items with the Third Party and develop a realistic remediation plan and timeline. You must define Third Party and business responsibilities to monitor remediation tracking. Follow up on these actions through completion and resolution. Also, consider sharing the draft report for clarity and accuracy.
1. Communicate
Communicate the requirements for risk-based vendor management to your organization.
Key Highlight
Communication plans should provide timely information for customers, regulators, and other stakeholders as appropriate. These communications plans should be coordinated and tested on an ongoing basis with Third Parties when the service is outsourced in part, or in whole.
Topics included in corporate compliance and ethics programs may be based on federal sentencing guidelines for US companies or codes of conduct in other international locations. Codes of conduct may extend to Third Parties, especially in the supply chain with external statements of expectations. These topics may include:
Company values and mission statements Codes of conduct Anti-Bribery Anti-Trust Anti-Corruption Competitive practices Insider information Money laundering Trade compliance Human trafficking and modern slavery Social media Sustainability Intellectual property
Confidentiality Requirements
Complete communication of responsibilities for ongoing security, confidentiality, and legal responsibilities for all personnel. These may include non-compete agreements.
Plan Activation
Conditions for activation of each scenario and the associated roles and responsibilities required should be formalized and published.
Phase 2: Engagement Activities
Conduct Discovery Interviews, Tours or Inspections; Complete Compliance Artifact Reviews and Control Testing; Summarize Assessment Results and Findings
Defined Events
Conduct contract reviews based on identified events. Identify specific triggers that may impact the level of monitoring or that may require approval for contract exceptions. Certain events, like subcontractor notice and approval, may impact multiple relationships in the supply chain. Defined events are based on internal and external factors.
When establishing risk parameters and report, the following criteria for risk tiers/classifications will also be used:
Contract requirements Level and type of assessment Frequency of assessment The established Risk Ratings will be used to define the types of management reporting required. This includes service type, business unit, and enterprise.
Monitoring Service Agreements
Dashboards and tracking tools can be used to monitor service level agreements for changes in the environment.
Tracking Events
Dashboards can be used to track events from the internal and external environment to create alerts.
Risk Factors
Data sensitivity, Location, Availability/Resilience, Customer Impact, Concentration
Contract Standards
Define periodic contract review schedules based on current contract standards. Ensure that contract procedures address performance failures, return of data, or transition services. Establish processes to ensure mandatory provisions are included and implement spot checks to correct contract deficiencies.
3. Define
Define risk monitoring practices and establish an escalation process for exception conditions.
Tools, Measurements, and Analysis
Define the tools and technologies needed to monitor and measure your program's success. This includes your workflow management; the tools to monitor changes in the environment; the tools to assist with risk scoring; dashboard and scorecard automation; and real-time threat monitoring. Additionally, there are tools and technology to enable tracking and analysis, including: Performance status, vendor value, and service delivery Control environment Operations Regulatory compliance External threats
Final Report Distribution
Determine options for distributing the final report, and options if the remediation plan falters. This includes time extensions, re-assessments, and termination. The final report should be reviewed with all interested parties. If requested, the Assessee should provide a response to the final report.
Contract Templates
Develop contract templates that include provisions to address notification of changes related to the Outsourcer's vendors' vendors (Fourth Parties/sub-outsourcers).
Types of Outsourcing
Direct/Indirect, Services, Application, Technology, Personnel
TPRM and Documenting Risk
Driving and evaluating TPRM program effectiveness requires the development of a clear and documented organization-level understanding of the amount of risk an organization is willing to bear in order to pursue its strategic and measurable objectives.
Training programs for Employees and Stakeholders
Employees and stakeholders should receive training on the objectives of business continuity. Training should include testing methods, reporting of test results, and identification of critical business functions. The level of training required may be based on job role and involvement in program execution.
Fully developed TPRM Program has become a critical component of an organizations approach to....?
Enterprise Risk Management (ERM)
Third party risk is just one risk focus area that may be included in an organization's overall approach to ...
Enterprise Risk Management (ERM).
Environmental Controls
Environmental controls include continuous monitoring of critical environmental systems and the establishment of thresholds and alarms for proactive action.
Supporting Evidence
Establish a process to request supporting evidence or assurance of the maturity and governance of the Vendor's own TPRM program and Third Party risk assessments.
Established Procedures
Establish and document procedures and language for extension of contract obligations to a vendor's vendor.
Independent TPRM Program Evaluations
Evaluation Process Reviews Executive Management
Bi-Annual or Baseline at Contract Renewal
Exposure to basic or lower classifications of data Lesser volume or work Offshore without access to data Services are deemed non-critical Basic vetting at contract acceptance Re-validate as required Leverage third party sources for due diligence monitoring
Mapping External Dependencies
External dependency risks are risks that arise in relying on external entities to support an organization's critical services. Critical services fall under four categories: people, information, technology, and facilities. Interdependencies and linkages should be mapped among all components of inbound and outbound supply chains. Mapping should identify the pathways and interconnections of the chain for each step in the fulfillment process.
Perimeter:
External part of the building
Public External
External part of the building; private area
Functions as a Service (FaaS)
FaaS adds another layer of abstraction to PaaS, so that developers are completely insulated from everything in the stack below their code. Instead of handling the hassles of virtual servers, containers, and application runtimes, they upload narrowly functional blocks of code and set them to be triggered by a certain event. FaaS applications consume no IaaS resources until an event occurs, reducing pay-per-use fees.
Defending Against Outside Threats
First layer of defense is the perimeter
Level 2: Executive Management
Focus on business and operational risks 60-80 metrics Changes are infrequent
Level 1: Board
Focus on strategic and other significant risks 30-25 metrics changes are rare and exceptional
Company-Owned Devices
For company-owned devices, the organization's controls to address end-user device security may include the following: Protect devices against malware. Patch, update, and maintain software on devices. Audit device configurations and patch levels. Remotely disable or wipe the device in the event of theft or loss. Use of geolocation to support recovery efforts.
Assessing and Managing Risk Factor: Technology providers, vendors, and suppliers are all external dependencies. When an entity is removed from the chain of directly contracted outsourced services, the entity is a..
Fourth Party. Each Fourth Party may have their own sets of technology providers, vendors, and suppliers. This creates the chain concept of the Nth Party.
Fourth Party Management
Fourth party assessments are conducted by first holding the Third Party accountable to have a TPRM program in place for an of their vendors that are involved in the delivery of services. The Outsourcer is looking to the Third Party to provide evidence of the types of assessments they have performed and evidence of a control evaluation. Assessors may rely on evidence and reports from external audit reports for validation or independent testing of controls if permitted.
GDPR
General Data Protection Regulation
Managed Services
Given the expansion of the use of outsourced technology environments, many organizations may decide to use outsourced staffing models for either IT or security functions. In managed services, the responsibility for maintaining and anticipating the need for a range of processes and functions is outsourced to a Third Party to improve operations and reduce expenses. There are multiple types of managed IT services including networking, hardware, help desk, managed cloud infrastructure, or even CIO/CISO services. The bottom line is identifying and understanding who is accountable for defining and maintaining the appropriate controls in the technology environment.
GRC
Governance, Risk, and Compliance
GRC Definition
Governance, Risk, and Compliance (GRC) is the framework and tools such as policies; procedures; and controls and decision-making hierarchy. These are employed to manage risk in the organization. GRC systems partially automate risk management processes, such an onboarding, ongoing oversight, compliance, incident/issue management, and maintenance of TP risk registers and inventories.
"Three Lines Model" For Assurance
Governing Body - accountability to stakeholders for organizational oversight Governing body roles: integrity, leadership, and transparency. Management - actions (including managing risk) to achieve organizational objectives - First line roles: Provision of products/services to clients; managing risk - Second line roles: Expertise, support, monitoring, and challenge on risk-related matters Internal Audit - Independent Assurance -Third Line roles: Independent and objective assurance and advice on all matters related to the achievement of objectives
Arrow Up: accountability, reporting Arrow Down: delegation, direction, resources, oversight Arrow side to side: Alignment, communication, coordination, collaboration
Governing Body delgates, direction, resources, oversight to/over Management and Internal Audit Management provides accountability/reporting to governing body, and needs to work in alignment, communication, coordination, collaboration with internal audit. Internal audit provides accountability/reporting to governing body, and needs to work in alignment, communication, coordination, collaboration with internal audit.
Identifying and Assigning Levels of Confidentiality: Government
Government agencies tend to define the level of classification of data based on the risk of disclosure. These levels include: Top Secret, Secret, Confidential, Sensitive, and Unclassified. A particular type of data or data record can change its' classification over time.
Tools can also be configured to define or look for specific scanning requirements. This includes:
Government issued ID numbers Account numbers Date of birth Functionality Email and attachments
Step 4:
Implement any needed changes in monitoring, and be sure to track remediation status
"Zero Trust" Model
In a "Zero Trust" model, the company verifies anything and everything that connects to its systems before granting access. Remember, passwords with privileged access, which allows access to the full control of critical computer systems and applications anywhere, are a main target for hackers.
You do not want to be in business with an organization that transmits your data but lack information security measures in place to safeguard the data.
In order to mitigate that risk you need to have processes in place for evaluating and identifying inherent risk. Once identified, including any compensating controls, you will want to understand what that risk means. The residual risk is the amount of risk that your organization is accepting in order to do business with an organization that has all the necessary controls in place.
Incident Severity
Incident severity is a ranking of an event's significance that uses, at a minimum, a three-point scale: minor, moderately severe, and severe. For each level of severity, IT organizations should define acceptable resolution times, escalation procedures, and reporting procedures.
Strategies
Include documented strategies or approaches to scale the organization's pandemic efforts over time and across locations. Strategies should incorporate preparations for the next or subsequent waves.
Step 1:
Incorporate assessment results into enterprise risk management reports
2 Risk Types
Inherent Risk and Residual Risk
Inherent Risk
Inherent risk is the amount of risk an organization can incur when there's an absence or failure of controls.
Trust
Initial Assessment Third Party Control Statements Facilitated by Questionnaires Scoped to specific activity or service
Remember these key points:
Inspect for what you expect. Focus on critical controls. Leverage questionnaire inputs. Clarify responses. Be flexible on compensating controls.
Trade, Marketing, and Sales Practices
International trade and export, anti-competitive practices, consumer protection, collections, sanctions screening
Defend
Intrusion Detection Intrusion Prevention Denial of Service Remote Access Unauthorized wireless
Planning
Involves scoping objectives for outsourcing, determining what should be outsourced, establishing risk criteria at the scope of work (activity level), establishing relationship owner, and developing a TP inventory
Skills and Competencies for TPRM
Judgement; Time Management; Attention to Detail; Collaboration; Communication; Technical Aptitude
The levels of management reporting include..
Level 1. Board level reporting Level 2. Executive Management Level 3. Business Segments
Board Reporting
Level of awareness and compliance with laws and regulations Self-assessments and independent assurance Integrated with strategic planning initiatives Internal & external trends Implications of enforcement actions
C-Suite and Management
Lines of business Functional area reports
4. Maintain
Maintain a documented risk management methodology for Third Party risk.
Data Restoration
Make sure to have an accessible off-site repository of software, configuration settings, related documentation, backups of data, and off-site infrastructure to operate systems.
Monitoring and Reporting of BCM Activities
Management and board level reporting should include a written presentation that describes both definition and execution of the BCM Program. The BIA, risk assessment, and the BCP should be shared so that leadership is informed about the status of the program and its ability to mitigate the risk of significant disruption. Reporting should include metrics, audit results, issues, test results, and recommendations for process improvement.
Organizations need to clearly define the requirements for managing and preparing for changes in an environment. Governance structures or change committees need to approve changes, and limit changes to authorized users. Change management functions include:
Management approved operating policies and procedures Documented roles and responsibilities Defined governance structures Formalized change management or change control policies Audit trails for all changes
Regulations, Statutes, and Laws
Managing Compliance Obligations - Compliance obligations can be driven by statutory, regulatory, contractual, or industry requirements. While specific regulations are sectoral or country specific, there are more commonalities in how regulations are being shaped by international, federal, or state/provincial regulators that influence TPRM
Personal Devices
Managing and maintaining software updates on your personal devices can often be challenging and frustrating. The timing can be inconvenient and may disrupt your schedule. When you need to manage multiple home devices and users, you make decisions on when to apply the updates, and which to apply first. You will need to make a decision on which device to update first. This can be based on the business need and the potential risk. Prioritizing updates after evaluating the impacts is considered a risk-based approach to patch management.
Manual Inspections and Review
Manual inspections are human reviews that test security controls, policies, and processes. These reviews may include inspection of technology decisions, architecture design, or configuration. Manual inspections and review typically include an analysis of documentation. This is done in collaboration with system designers, system owners, and subject matter experts. A manual inspection is a technique to assess the software development process itself for adherence to the policy and skill set of those involved in the process.
Real Time or Annual Re-Assessments
Material issue or breach Vendor criticality rating so vital that incapacity would debilitate the business Exposure to regulated and sensitive data Large-scale processing Direct contact with end-users Remote access to production Geolocation risk/Offshore with data access Cybersecurity events
Process Automation with Technology Enablers. Use tools, technology, and automation to drive efficiency into your processes for collecting metrics, managing workflows, and creating management reports.
Metrics Tracking Workflow Management Risk Reporting
3rd Phase of an Assessment: Post-Engagement
Monitor Risk and Remediation Process Management
Multi-Factor Authentication
Multi-Factor authentication, or just MFA for short, requires the use of solutions from two or more of the three categories of factors.
Contracts Team Roles
Multiple teams are engaged in contract management and administration for third party agreements. Each organization will structure the roles and responsibilities for creating, negotiating, signing, and approving contracts based on internal policies. Contract policies define the structure or hierarchy for how contracts and contract exceptions are approved based on factors like criticality, spend, risk, or compliance. Contract teams may be centralized or decentralized based on the size of the company and volume of third party relationships.
Technical Controls
Network access User access Operating systems Application development
Contract Termination Types
Normal, Cause, Convenience, Regulatory/Supervisory
Third Party Risk Assessments follow a four-step process, ______, to perform the controls evaluation using standardized checklists, templates, and processes to enable objective reviews.
Obtain, Inspect, Report, Analyze.
Performance Maturity and Independent Reviews
One must establish a process to periodically assess program performance across multiple disciplines to measure program maturity. Conduct a periodic self-assessments of program maturity for each TPRM component, and establish a cadence for conducting periodic independent reviews of the TPRM program. Without these activities in place, there can be a risk to the company's brand, business, operations, data protection, and compliance level.
Program Revision History
Ongoing program revisions should be made for resources (people, process, technology, service providers, cost) as appropriate.
TPRM Program Evaluation Key Points
Organizations cannot manage what they do not measure. Periodic program evaluations should carefully examine the effectiveness of due diligence methods, metrics, and reporting on a regular basis. This is particularly true in environments when the nature and severity of risks may change rapidly. Regular evaluations of the TPRM program should be undertaken as part of ongoing enterprise due diligence.
IT Operations Management
Organizations should maintain documented operating procedures to ensure the effective management, operation, integrity, and security of their information systems and data
Physical and Environmental Security
Organizations should take appropriate steps to prevent unauthorized physical access to systems
Assessing or Evaluating the Assessment Process
Organizations should undertake a regular review of their Third Party due diligence processes as part of an overall TPRM program review.
Online Meeting Approach
Outsourcer: Third Party Risk Staff use credentials to access an online meeting Service Provider: shows presentations, Participants to be interviewed, and navigations to folders to show artifacts Screen sharing Platform to "View" compliance artifacts only during the online meeting
Platform as a Service (PaaS)
PaaS is a cloud-based deployment model where the customer rents remote hardware, operating systems, storage, and network capacity that is owned by other entities. This is done over the Internet and is used in existing applications, or for developing and testing new ones. EX: Windows Azure, Google App Engine
Password Controls
Password rules can be enforced for length, complexity, characters, reuse, and type of cryptography to protect the password. The use of a hash algorithms is one of the stronger methods to protect passwords.
Organizations should ensure security controls are employed throughout the software development lifecycle (SDLC) to confirm secure coding practices are followed. The SDLC process examines the controls for:
Patch management Data storage Data transmission Security and privacy Application development Programming
Patch Management
Patch management is the process of managing a network of computers by regularly performing patch deployment to keep computers up to date. This covers regular patches, service packs, and also hot fixes. There is a priority of correcting the most vulnerable systems first.
Types of Security Controls
Personnel Access Controls; Monitoring Systems; Environmental Controls; CCTV Surveillance
Vishing
Phishing accomplished via voice; usually by phone
The TPRM lifecycle is a widely recognized model for understanding how TPRM works over time. In order to provide appropriate degrees of assurance, this model includes five components:
Planning, Due Diligence and Third Party Selection, Contract Negotiation, Ongoing Monitoring, and Termination.
Operating System Access
Protecting operating systems and system utilities is important to prevent unauthorized access or activity which would result in financial or operational losses. Organizations should include the following in their approach: Limit the number of employees with access to operating systems. Restrict access and log activities on operating system parameters. Filter and review logs for potential security events. Independently monitor operating system access by user, machine, and date.
Program or Portfolio Level Reporting: Third Party Program Metrics
Quantity of assessments by risk tier Quantity of Assessments by Phase (Planning, Scheduled, In-Progress) Open findings/remediation expectations Assessors' assignments
Recovery Point Objective (RPO)
RPO refers to the maximum amount of data that can be lost after a recovery from a failure or disaster incident. This is measured within a time period that is most relevant to the business.
Recovery Time Objective (RTO)
RTO refers to the point in time in the future when you will be up and running again. It is the targeted duration of time which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity.
Let's return to our case study company Expedite Travel and see how certain risk control domains can impact the approach to mitigating risk in third party relationships.
Recently, a new vulnerability was identified that put their cloud infrastructure at risk of exploitation. Although the vulnerability has just been recently exploited, it had been identified a month ago. The vulnerability not only targeted user access, but also the application layer, which compromised the credit card processing systems. The information security response team has been coordinating the IT Operations response and reviewing the steps needed to scan the environment in order to determine which security patches to use. This process also involves outreach to Expedite Travel's vendors and technology service providers. After company operations were restored, the team set up a "lessons learned" session to discuss future threat scenarios and how to address these situations in their TPRM program.
Off-Boarding Process
Removal of privileges and access rights, including group access lists, should be assessed and adjusted appropriately. This is in response to changes in responsibilities and will be removed upon termination of employment or contract.
The organization's ERM program brings together the different types of risk posed by third parties and identifies the methods and processes used to manage each risk. Consider the following:
Reputation and strategic risk Financial, credit, or concentration risk Cross border or geolocation risks Fourth-Nth party risk Cybersecurity or data protection practices, including the use of emerging technologies Business continuity plans, recovery standards, and contractual remedies Supply chain risk for the development, acquisition, maintenance, and disposal of software, technology, and systems
Due Diligence Obligations
Require due diligence obligations in contract terms that define expectations for the vendor to be conducting its own TPRM assessments of its vendors.
Residual Risk
Residual risk is the level of risk that exists with all of the necessary controls in place.
Private Internal
Restricted to a tenant or access list
Assessment Reports: Key Point 3: Ensure that Existing Report Scoping is Aligned to Your Needs
Review the scope and description of systems to ensure that the report applies to the services provided and are relevant to the outsourcer.
Due Diligence Information that can be gathered
Reviewing external audit reports or results of continuous monitoring reports Conducting interviews with Subject matter exports Testing of specific controls to validate compliance Requesting and reviewing documentation Creating and submitting questionnaires for the vendor to complete Planning an onsite inspection of a facility or vendor location
Key Highlight
Risk Alert: The lack of a security policy element addressing Third Party risk is a 'red flag' regarding a vendor's information security policies and practices.
Risk Appetite
Risk Appetite is the threshold of risk a company is willing to assume in order to achieve a potential desired result.
Assessor Roles
Risk Assessor roles operate within the TPRM to conduct the evaluation of the vendor's control environment. Both types of roles require technical understanding of risk control domains. However, the assessor requires deeper knowledge and experience in information technology, information security, audit, and resilience to effectively evaluate controls.
Process to Update the Program based on Changes in the Environment
Risk and technologies change, as do company structures. The approach to BCM may need to be updated based on changes in the internal or external environment. Organizations should conduct periodic review of their approach to BCM to ensure that the program is still meeting the desired results.
Risk Culture
Risk culture is the set of shared values and beliefs that governs a company's attitudes toward risk. Attitudes include the approach towards risk taking, care, and integrity. This determines how risks and losses are openly reported and discussed.
Assessment Reports: Key Point 4: Review the Report Period, Scope, and Age of Reports
SOC and other reporting may have set timeframes and may not be updated with subsequent changes in scope. With reference to the aging of reports, the current threat environment makes older reports obsolete (greater than 12 months, in many cases shorter timeframes). A bridge letter may be accepted by the outsourcer.
Scoped Data
Scoped Data may also be described as "Target Data." In an assessment, think of it as a client company's proprietary information, confidential information, or customer information of any privacy data classification, that is stored, transmitted, or processed by the service provider. Scoped data may also include any data selected as being "in scope" by the organization or client at the beginning of a project.
Defining the Assessment Scope
Scoping is one of the more challenging aspects to learn in effective TPRM.
2. Scoping Factors
Scoping is the process an outsourcer uses to configure an assessment based upon the risk the vendor presents to the organization. Scoping factors will determine the depth and breadth of the assessment based on level of risk or by the type of assessment.
6. Final Report Expectations
Set expectations for the final report (timeframe for supply follow-up items and answers, necessary actions, report issuance dates, etc.)
Control Testing and Validation
Set meetings to discuss documentation and outline each of the steps. It is important to interview SMEs and also have a review of proprietary information. Evidence should be tested, reviewed, and documented, including control tests. Closure meetings should be your final request for information and to provide timelines for issue identification and remediation.
Organizations typically configure and deploy software solutions to manage their DLP program.
With DLP, tools can be configured at specific egress points, including email, USB ports, Internet, printing, and network points.
Trust, but Verify
provides a best practice approach for directing risk management resources in a way that is tailored to and commensurate with the degree of risk posed by the individual service, or services being outsourced.
- Availability Risk:
the TP systems may not have sufficient redundancy or resiliency during an event or incident
When planning, conducting, or evaluating a Third Party onsite or virtual assessment, you need to start with the basics. You need to cover the ...
"who, what, where, and when," and if possible, for knowledge purposes, learn "why" the vendor requires an assessment.
Key Highlight: What is important to evaluate in TPRM is how a Third Party manages or defines their approach to patch management..
, not just having a policy.
To achieve this, the following will be required:
- A clear understanding of the organization's most important services - A comprehensive mapping of the systems and processes that support the most important services, including those that are outsourced - An understanding of the ways in which the failure of an individual system or process, could impact service provisioning - A workable plan for substituting systems and processes, including outsourced processes in the event of a disruption - A regularly tested plan for service restoration following a disruption - An effective, regularly tested communication plan that includes an escalation path with identified decision makers within the Outsourcer organization and Third Parties - A regularly tested communications plan for the most important services
Resilience
- Can the amount of risk and the organizational risk capacity be reconciled? - Can the loss or disruption of the potential Third Party be managed?
The following are examples of security operation functions:
- Conducting forensic investigations - Monitoring and identifying potential threats - Identifying and risk rating vulnerabilities - Cataloging vulnerabilities and tracking remediation - Escalating issues and approving fixes - Coordinating with law enforcement - Integrating responses with Third Parties - Analyzing threat intelligence from external groups - Monitoring trends in application vulnerabilities
IT and Non-IT Risk in TPRM
- Evolution: IT and Non-IT risk in TP relationships are evolving with the acceleration of focus on digital transformation and technology innovation - Climate: Broader concerns on climate change and environmental factors put TP relationships under greater scrutiny o ESG Third Party risk puts the spotlight on climate-related disclosure requirements and frame works - Human Capital: the brand risk from practices regarding human capital are triggering a focus on labor, wage equity, and human rights - Transparency: Supply chain distribution has exposed gaps in operational resilience. Ethical business practices and codes of conduct require transparency in data collection and use - Artificial Intelligence (AI): Digital transformation leverages AI and machine learning to drive automation and relies on an interconnected network of relationships - Adaptation: Traditional IT risk and data breach risk have changed as data governance practices adapt to new technology - Computing: Edge computing brings the storage and processing of data near the source to enable efficiency with 5G and IoT adoption while minimizing use of network bandwidth - Cybersecurity: the focus on cybersecurity changes TPRM practices to address the use of quantum computing to enable stronger cryptography to defend against attacks
Due diligence needs to be carried out when evaluating the following:
- New Third Parties before contracts are signed - Existing high-risk Third Party relationships that require incremental due diligence based on the elevated risk presented to the Outsourcer - The off-boarding process - to make sure that all contractually required steps have been taken - Merger, acquisition, or divestiture plans where Third Parties should be involved — a commonly overlooked activity - Whenever Third Parties seek to add new or change existing subcontractors
Examples of Security Education Training Topics:
- Phishing: targeted emails trying to get the user to click a link or download a program - Risk of Malware: Use of tools and programs against current threats - Use of Email: handling suspicious emails and encryption of sensitive information before sending - Protection of Intellectual Property: Improper sharing of data; document labeling; email receipt notices - Implementation of New Controls: How employees are made aware of updates and changes to an organizations security controls - Password Guidelines: Selecting strong password, password sharing, password update processes - Physical Safeguards and Asset Protection: Mobile device safeguards, tail-gating or piggybacking, plugging in USB drives
Using External Assessment Firms: Assessment firms or consultants are an extension of an organization's TPRM team but may require additional planning logistics. Use the following tips when using external assessment firms:
- Select firms or consultants that are qualified and experienced in the types of assessments needed - Recognize that participants may require a separate non-disclosure aggreement (NDA) - Check the contract for terms, conditions, and confidentiality provisions - Monitor their progress and meet with them at least weekly - Ensure they notifiy you when the assessment begings to "look bad" - Be prepared for the legal departments to redline agreeements - Be prepared to adjust start and end dates - Ensure employees participate in the closing meetings and remediation decisions
Attention to Detail
- TPRM focuses on accuracy, transparency, and integrity in identifying findings and setting realistic expectations
Technical Aptitude
- TPRM involves the analysis of controls across diverse risk topics and business models using broad knowledge of the control environment
Time Management
- TPRM leverages project management disciplines to manage tasks and deliverables across concurrent assessment activities
Communcation
- TPRM uses effective verbal and written communication skills to conduct discovery and summarize findings
Monitoring Plan: When putting together your monitoring plan, be sure to address the following areas:
- Timelines for corrective action updates - Significant changes or compliance to policies and standards - Customer complaints - Records management - Authorized data use - Artifacts (insurance, PCI compliance, disaster recovery and business continuity plan) - Key personnel or critical subcontractors - Material changes to technology, security controls, or procedures - Financial condition
Third Party Selection
- Using your RFP rating criteria, you begin to negotiate terms, contracts, and reporting requirements. With contract negotiations, ensure that there is a deeper due diligence on short-listed parties. Complete the closure which is the mitigation of any issues discovered during due diligence ahead of onboarding. Now you can execute your contract and begin onboarding. o The following are key elements to consider when you are between the process of Third Party selection and relationship management: § Negotiation of terms § Contract term approval § Contract execution § Statements of Work (SOW) § Reporting requirements
New Relationship Planning
- When thinking about TP contract management, we must first think about new relationship planning. You can break that up between Service specific planning and RFP requirements. o For new relationships, you define your requirements starting with service specific planning in order for you to craft a Request for Proposal (RFP). o Your service specific planning will define individual controls and other requirements for each service that will be required in any RFP. o Develop RFP: The RFP will include standard up-to-date security requirements, monitoring allowances, performance standards, and other service-specific contract requirements. o You must ensure that the RFP includes any special oversight provisions based on service criticality. o The following are key elements to consider when you are between the process of new relationship planning and Third Party selection: · Business unit need · RFI/RFP creation · Contract templates · Financial proposals · Operational requirements
What should this program specify?
- how organization will report internally, as well as external parties who may be affected - identify the incident response team and define their roles, responsibilities, related training, and periodic process testing
Best practices for Privacy and security awareness training
- not a "one and done" event. - training topics current and relevant - track attendance - maintain records of cybersecurity education campaigns - include knowledge or competency checks that measure the effectiveness of the training - collect metrics that measure compliance to provide reports to management and ensure support - conduct behavior tests to measure compliance with policies based on the increase in email threats
4 Foundational Requirements of Maintaining Inventory
1) Centralized database for all Third Parties - this includes IT vendors, consulting firms (including independent contractors such as law firms, brokers, agents, affiliates, etc.) custodial, building maintenance, and physical security firms 2) Detailed relationships that involve and support critical activities 3) Fourth Parties (subcontractors) to support the services provided to the Outsourcer 4) Contingency plans for legacy TPs being removed from an organization's TPs ecosystem
A comprehensive physical and environmental security policy should include:
1. A governance structure to allow repeatability, auditing, and ongoing measurement from an established baseline 2. Appropriate ownership and sign off from the executive level, and program integrity of ownership regardless of personnel change 3. Standards, processes, and procedures derived from the policy and reflecting the hierarchical governance structure across the program 4. Established requirements and KPIs for monitoring and control of systems that control electrical power, heating and cooling, humidity, and other critical environmental factors 5. An audit and testing component for validation of controls and systems
According to OWSAP, there are the top 10 application security risks:
1. Broken Access Control 2. Cryptographic failure 3. Injection 4. Insecure Design 5. Security misconfiguration 6. Vulnerable and outdated components 7. Identification and authentication failure 8. Software and data integrity failure 9. Security logging and monitoring failure 10. Server-side request forgery
Virtual Assessments Using Online Collaboration Platforms. When creating protocols for online collaboration, you should do the following:
1. Consider the need to use a Terms & Conditions click-thru agreement for online access. 2. Use watermarks or include dissemination rules in the footers of applicable documents. 3. Utilize settings for certain data rooms to limit printing or downloading of information. 4. Communicate the rules and expectations for taking photographs or use of screen capture technology. 5. Identify which party will host the virtual platform (Outsourcer or Vendor). 6. Gather consent for any recording of engagement interviews via collaborative computing technology. 7. Consider signing an NDA or Engagement Agreement for the screen sharing rules of engagement. 8. Agree on which platform to be used and verify any security settings and approvals. 9. Validate who populated the artifacts or evidence materials in advance of the engagement. 10. Confirm the credentials for portal or data room access.
When conducting an assessment, consider the following:
1. Engagement activities differ based on the methodology and type of assessment. 2. Assessments can be done onsite or in person using different risk management and due diligence techniques. 3. Controls can be evaluated virtually via evidence libraries and portals. 4. Collaborative computing technology can take the assessment from the conference room to online with faster timelines.
The starting point is the inventory and classification of assets. The following are key elements to also consider in your asset management program:
1. Inventories are important to identify assets that require greater data protection, like customer or confidential company information. 2. Inventories should include assets that store, transmit, or process information. 3. Inventories should include connections to external parties, networks, or systems that process the information. 4. After inventories are completed, the assets should be classified based on their criticality or sensitivity. 5. The classification structure should be based on the organization's overall information security program and risk assessment process.
An Incident Response Plan is a predetermined, systematic, and documented method for an organization to identify, analyze, respond to, and correct issues. It is also used to prevent a future re-occurrence. A formal incident response plan should include:
1. Policies, standards, and procedures for incident reporting, event identification, and analysis 2. Event classification and severity level criteria 3. Defined escalation criteria and decision-making protocols 4. Containment and restoration strategies 5. Roles for internal communication and external stakeholders 6. Linkages to other incident programs (e.g., privacy incidents, crisis communication, business continuity) 7. Testing procedures and protocols 8. Notification procedures to allow clients to activate their incident management program 9. Coordination with law enforcement, service providers, regulatory, or media as required 10. Debrief or "lessons learned" approaches for continual process improvement
Consider the following when defining your approach:
1. Understand your starting point and what are your requirements 2. Identify your governance requirements (regulatory, guidance, or govering bodies) 3. Tailor approach based on organization risk culture 4. Communicate and align your message to help business lines make informed business decisions 5. Determine the type of assessment that fits the situation 6. Conduct reviews during the renewal of existing relationships based on current requirements 7. Review due diligence processes regularly at intervals appropriate to the regulatory requirements, the rapidly changing risk landscape, and current business environment 8. Third Party due diligence should plan an important role in RFP processes, Merger and Acquisition (M&A) activities, as well as when outsourced activities are part of divestiture 9. When relationships are terminated, additional due diligence must be conducted to ensure that the termination process meets contractual requirements 10. For critical vendors, up-to-date, pre-established plans should be in place to ensure that when a Third Party needs to be terminated or replaced, contingency plans allow for seamless business continuity
Procedures for Asset Inventory Management: 5 steps
1. When on-boarding, an organization must have a program, policy, and procedure to identify all information assets, both physical and logical, being assigned to any employee, contractor, or Third Party. 2. Organizations should perform periodic reviews of asset inventories to ensure desktops, laptops, devices, and other data storage items do not go missing. 3. Organizations should document procedures for the re-use of information assets, both physical and data, based on sensitivity or data classification. 4. Procedures for the proper disposal of information assets, both physical and data, should be based on sensitivity or data classification. 5. Organizations should implement procedures to require the safe return of all information and information assets by employees upon termination of their employment, contract, or agreement.
Key Performance Indicators (KPIs)
A Key Performance Indicator (KPI) for third party risk management programs is a measurement of the progress and success of a program against tasks and functions. KPIs can reflect the information gathering progress, team performance metrics, improvements to risk management progress, or even individual third party performance. A KPI is most useful when it helps drive improvements and awareness of where resource or progress is insufficient based on the organization's broader risk appetite.
Key Risk Indicator (KRIs)
A Key Risk Indicator (KRI) for TPRM programs gauges the potential risk posed to an organization by a downstream third party. KRIs can be considered for each third party individually. KRIs can also be an aggregate of risk across an organization's entire third party vendor inventory. KRIs should be based on the required output and audience. A KRI becomes particularly useful when it helps drive decision-making in risk tolerance and allocation of remediation resources.
Due Diligence Information Gathering
A TPRM Program should maintain documented requirements for information gathering as part of the due diligence process. Outsourcers define the types of documentation, compliance artifacts, or questionnaires that may be used as part of the assessment. Each type of assessment may trigger requests for information to be provided by the vendor in order to define the agenda and assessment scope.
What are we Assessing? Defining the scope. Do you know what to assess?
A TPRM program defines the requirements and standards for structuring assessments, which can be captured from multiple viewpoints. - Ask yourself the following when evaluating a third party: § What is the size of the company? § Where is their geographic location? § What is their line of business? § Is the scope product or service specific?
Third Party Risk Register
A Third Party risk register is an inventory set up and used throughout the vendor lifecycle in which an organization identifies all the risks involved in outsourcing a specific service or activity, providing in sum a record of all the risks associated with all Third Parties across the organization. Risk Registers should reflect the tracking of risks within each Third Party relationship and across the entire TPRM portfolio. Attributes included in a Third Party Risk Register include: Unique identifier for each risk Description of each risk Assessment of the likelihood the risk will occur Grading of the possible seriousness and impact if it does occur Risk mitigation plan (accept, avoid, transfer, etc.) Grading of each risk Ownership for management Assignment of the risk Management of proposed mitigation plans Cost of mitigation strategy
Triggering Re-Assessments
A Third Party's risk profile may increase or decrease as a function of updates in regulation; scope of work and access to data; location where data is stored or processed; risk environment; or event-triggered incidents. The calculation of re-assessment timing and scope is based on a number of factors which may change over time.
Challenges in Outsourcing
A challenge in due diligence is auditing or gaining assurance where there is not a direct contractual agreement in place. In Third Party Contract Management, the outsourcer needs to incorporate language in the contract to require their vendor to document and maintain a vendor risk management program and conduct its own assessment.
Components of an Audit Program include:
A mission statement or audit charter outlining the purpose, objectives, organization, authorities, and responsibilities of the internal auditor, audit staff, audit management, and the audit committee A risk assessment process An audit plan detailing internal audit's budgeting and planning processes An audit cycle that identifies the frequency of audits Audit work programs for each audit area that create the required scope and resources, including the selection of audit procedures, the extent of testing, and the basis for conclusions Written audit reports informing the board and management of individual department or division compliance with policies and procedures Requirements for audit work paper documentation Follow-up processes that require internal auditors to determine the disposition of any agreed-upon actions to correct significant deficiencies Professional development programs to be in place for the institution's audit staff to maintain the necessary technical expertise
Penetration Testing
A penetration test (also known as a "PEN test"), is an authorized simulated attack on a computer system that seeks to expose security weaknesses, potentially gaining access to the system's features and data. These weaknesses can be identified in either technical controls or weaknesses in business processes. PEN testing takes place to address any possible issues without knowing precisely what threats each feature is supposed to address. The frequency and scope of a PEN test should be based on the level of assurance needed for the application and is determined in the risk assessment process.
Scoping Meeting
A scoping meeting is a meeting held prior to commencement of an engagement. This is done to determine the scoped systems and data to be included in an organization's assessment or other engagement. The scoping meeting should identify the types of testing or validation procedures that will be required in the assessment. The process should identify which controls may be new due to virtual or remote workforces.
Security Defect
A security defect is a security flaw identified in an application as it is being developed. The most common examples are the results of static analysis scans against code bases in development. Since the application is only in the development stage of the SDLC and is not actively being used, no risk exists.
Internal and External Simulations
A simulation is a more formalized method of testing and may be facilitated by an outside party. In a simulation, the security and privacy incident response team practices their actual response plans and engage many functional areas in the company. A simulation may trigger other processes like incident notification or crisis communication. Simulations evolve based on how the team responds, and new information may be provided to test the agility of the team. An external simulation operates the same way but involves interaction and collaboration across many companies, typically as part of an information sharing group or trade association. And remember, conducting "lessons learned" after each event identifies process improvements.
Endpoint Device Security
A starting point for endpoint device security is the identification of the ownership of the device and the data that is stored on the device. Policies should be constructed for both company-owned devices and employee-owned devices. Note that any electronic device that accesses company data is considered an end user device.
Personnel Access Controls
Access control systems for highly restrictive areas may include an electronic-based reader with some additional authentication factor such as a pin code, finger or hand print reader, or retina scanner (two-factor authentication).
In a Zero Trust environment, all networks are untrusted, including internal networks. The goal for Zero Trust is to prevent data breaches and limit lateral movement. When you are utilizing access control techniques, you are ensuring that:
All communication is secured regardless of network location. Access is granted on a per-session basis regardless of network location, user, or device. Authentication and authorization are determined by user and device analytics. Behavioral attributes are tracked to highlight deviations from normal access patterns. Access controls are strongly enforced. Device logs and traffic are continually monitored and inspected.
Incident Event Identification and Analysis
All incidents are not alike.. they require triage and assessment An incident may trigger notification requirements based on risk, classification of data, regulatory, or contractual obligations. Each incident will follow a lifecycle until it is closed or remediated.
- Data Traffic, What you need to know:
All traffic through firewalls, email and chats should be monitored. Perform outbound scans for malware, malicious and blacklisted sites, and data policy violations
Annual Testing Plan
An annual test plan of high-risk scenarios should be prioritized and approved by management based on likelihood and impact.
Assessment Purpose and the Risk Tiered Approach
An assessment should ensure the organization is aware of any absent or failing controls that do not meet set standards
IT Audit
An audit is compliance focused. It starts with a listing of all the rules, requirements, or policies. It then assesses the compliance to those stated obligations in a formal engagement. "Findings" are perceived to be "Gotchas." Audits are a reactive process in risk management. Measures how well an organization is meeting a set of external standards. Audits, reviews, and tests everything identified in the engagement scope. Tests the effectiveness of the implemented controls (risk audit). Tests the entire scope of an information security management system or business continuity management system. Expresses the opinion of the audit function on the performance and effectiveness of the controls.
Cause
An event or action has caused a material breach or irreparable violation of contract terms. Contract may require cure or remediation period.
What is an Exit Strategy?
An exit strategy is a predetermined process or set of requirements for discontinuing a Third Party relationship. Topics typically included in an exit strategy include: Return of the work product and assets (i.e., technology or processing equipment) Return or destruction of data Proof of destruction and/or return of intellectual property (IP), work product, and data Transition assistance Reporting requirements Need for parallel services Insurance requirements Right to solicit and hire vendor employees Indemnification regarding responsibility for costs and liability
Notification Obligations
An incident response plan should have defined protocols to declare and respond to an incident. Organizations should have specific reporting mechanisms via multiple channels for the reporting of an incident so that it can be assessed. Training and awareness programs should communicate an employee's responsibilities and the process for incident reporting. Organizations should log incidents and conduct additional information gathering to manage the issue until it is remediated. Incident metrics should be maintained to enable trending and analysis for ongoing process improvement.
Incident Response Plan
An incident response plan should have defined protocols to declare and respond to an incident. Organizations should have specific reporting mechanisms via multiple channels so that an incident can be assessed. Training and awareness programs should communicate an employee's responsibilities and the process for incident reporting. Organizations should log incidents and conduct additional information gathering to manage the issue until it is remediated and solved. Incident metrics should be maintained to enable trending and analysis for ongoing process improvement.
Independent Assessment
An independent assessment of the BCP and disaster recovery program is recommended.
Self Assessments
An organization may conduct an internal evaluation of their security testing and program using an industry framework to benchmark the maturity of their processes. A formal risk assessment may be done to evaluate security incident risks and mitigation strategies. Some organizations use a combination of testing strategies to assess the overall security posture.
Bringing the Programs Together with Testing and Communication
An organization should conduct thorough exercises that validate the effectiveness of business continuity and disaster recovery procedures and capabilities; the readiness of its personnel to perform required actions; and the viability of related communication mechanisms and procedures.
Governance and Oversight Structure
An organization should create and maintain an in-depth business resilience governance policy, function, and process that documents overall expectations for the program. It should also address how the program is to be executed, and define responsibility for each element of the program.
Scenario Planning
An organization should define the types of situations that are the most likely to trigger a security incident. Some companies have very specific regulatory obligations for privacy and security incident reporting that may need to be tested on a more frequent basis. The starting point in scenario planning is building a calendar or schedule of the types of events that should trigger a table-top or simulation, and prioritize the timing to conduct testing.
Alignment of BCP Program Elements to Company Goals and Objectives
An organization should evaluate its approach to business continuity based on the entity's strategic goals and objectives, customer impacts, and regulatory or contractual obligations. The level of continuity should be aligned with the risk culture and risk acceptance of the organization.
Security Awareness Training
An organization should implement a security awareness training program and assure that all constituents, including contractors, are trained annually. In addition, attendance reports are must be maintained and the program materials must be reviewed and approved by senior management annually.
Primary Components in a Compliance and Ethics Program
An organization's risk management program should include a formal compliance and ethics program, which ensures an organization's professional ethics and business practice requirements. This is based on company values, standards of conduct, and its compliance obligations.
Leveraging Questionnaires in Scoping
An output of the scoping process is the creation of an information gathering artifact. This is typically a due diligence questionnaire or an online survey from a software application. This scoping process is critical to achieving increasingly important efficiencies by focusing the assessment on specific topics. The quality of scoped questions is more important than the quantity of questions asked.
1. Which statement reflects an immature information security incident response and notification program: a. The program functions with only information security and IT as the stakeholders that need to be involved in setting information security breach response policies and procedures b. The program defines testing procedures and protocols. The program contains linkages to other incident management programs (e.g., privacy incidents, crisis communication, business continuity). c. The program defines event classification and severity level criteria that incorporate escalation and decision-making protocols. d. The program includes policies, standards, and procedures for incident reporting and event identification and analysis, including defined roles and responsibilities between organization functions.
Answer A: An incident may trigger notification requirements based on risk, classification of data, or regulatory or contractual obligations. While an incident may originate within Security or IT teams, assessing the potential notification based on contract or data protection regulations requires additional stakeholders. Privacy and legal teams within the business may need to be involved. Certain incidents may also require coordination with law enforcement, service providers, regulators, or media. B: Programs need to be tested on a periodic basis based on both internal and external changes. Organizations maintain different processes for handling incidents, events, and emergencies. These processes need to work together for execution, communication, and effectiveness. C: Issues and incidents are not the same. Not every IT event or incident evolves into a privacy or security incident that requires notification based on contractual or regulatory requirements. The program should include the identification and assignment of severity based upon the level of risk to provide the escalation and allocation of resources to minimize the impact. Each incident follows a lifecycle until it is closed or remediated. D: Incidents may be reported or discovered by internal or external events. Incidents can arise from failures in behavior of people, process, or technology. Each type of event may trigger different processes and procedures across teams to identify, assess, classify, escalate, and report.
1. Which set of contract provisions addressing third party outsourcing BEST reflects the requirements in today's regulatory landscape? a. Notice and approval of any changes in subcontractors prior to outsourcing b. Notification provided by the third party c. Require third party assessment performed by the outsourcer prior to subcontracting d. Restrict third party outsourcing
Answer A: Approval should be required, but should also not be unreasonably withheld. Vendors have legitimate business reasons to subcontract, especially for technology, and should be prepared to provide evidence of their controls evaluation and due diligence of subcontractors. If answered B: Notice alone is not sufficient as the outsourcer needs to be able to assess the potential for increased risk to their operations. Notice alone does not allow the outsourcer to evaluate the due diligence. If answered C: The outsourcer would not directly perform the due diligence of the third party, but rather would request evidence of the controls evaluation conducted by their vendor. The evidence of assessments should be part of the notice and approval process for subcontracting. If answered D: While a company may restrict certain types of outsourcing or outsourcing locations, it is not feasible to restrict all use of subcontractors in today's technology landscape. Limitations on outsourcing should be included in contract provisions between parties. Such contracts should also define the notice and approval process, and require sufficient compliance documentation for the outsourcer.
1. Assessment due diligence determines the extent that vendors are in compliance with their contractual requirements. Continuous monitoring looks at vendor risks beyond those covered in the contract, including factors that may include: a. Financial stability; web site hygiene; legal and regulatory actions and issues; and geo-location factors b. Analysis of SOC Reports; status of internal audit findings; date of last regulatory exam; and promptness of regulatory filings c. Membership in industry organizations; diversity supplier programs; supplier compliance statements; and Government Supplier registrations d. Number of reported security incidents; timeframe to remediate or cure issues; response time to risk assessments; and number of assessors or analysts
Answer A: Continuous monitoring is a risk management approach designed to identify potential programs through uninterrupted real-time or near real-time examination of alerts. Continuous monitoring programs tend to leverage outside data points to identify potential changes in risk outside of the cyclical review process. If answer B: Use of external audit reports is a component of compliance artifacts review within the Third Party risk assessment process. Assurance reports or examinations are inspections and evaluations of specific controls. Continuous monitoring is a methodology for examining information that may trigger a risk review, but is not evaluating the effectiveness of a control If answer C: Continuous monitoring is a process that uses real-time or near real time alerts of potential changes in risk. These examples highlight examples of operational risk or brand risk that may influence requirements in RFPs for vendor selection. If answer D: Continuous monitoring is a process that uses real-time or near real time alerts of potential changes in risk. These TPRM metrics are examples of issue status that may be used within the remediation or corrective action process.
1. Which statement best reflects the concept of periodic audit rights as defined in vendor contracts? a. Audit provisions in contracts should include the agreed upon frequency and scope of review. This includes the identification of audit triggers based on the occurrence of events. b. Outsourcers should establish requirements for notice, approval, or authorization of the use of subcontractors. c. Only critical suppliers are required to have right to audit provisions. d. Periodic audit rights are defined solely by a company's risk policy and not required by specific regulations.
Answer A: Correct: Audit provisions include the inspection of functions and controls within the Third Party, or within their compliance functions. Audits are not a "one and done" concept, but evolve as risks evolve within the relationship. Outside events, like a breach, disaster, change in technology, or regulatory issue may trigger the need for additional audits. If answered B: This statement is an example of a specific contract requirement, but does not define the audit process for the assessment of the vendor's controls. Periodic audit rights in contracts should include scope, timeframes, frequency, or events that trigger an audit. If answered C: The right to audit is not limited to only critical suppliers. Critical suppliers may require more frequent audits, based on the due diligence standards established in the TPRM Program. If answered D: A regulation may create the obligation that a right to audit is expected between parties. In highly regulated industries, the guidance includes the parameters and scope of expected audits.
1. For which type of location should the risk assessment provide validation of a vendor's environmental and safety controls? a. Manufacturing Sites b. Call Centers c. Administrative offices d. Sales Offices
Answer A: Manufacturing sites are more likely to be prone to health and safety risks or violations based on the nature of goods being produced. Dependencies on manufacturing delivery can be impacted by accident rates and environmental hazards. Outsourcers should include these risk factors when performing due diligence of vendors that produce goods directly for the outsourcer. B: Call centers create staffing level or capacity risk to outsourcers as they are personnel dependent and may have direct interaction with end users. Call centers may have greater pandemic risk due to close proximity of agents, or remote access risk for at-home agents. Call centers are less likely to experience safety or environmental risk due to the nature of the services provided. C: Administrative offices tend to be back office functions and pose less risk for safety or environmental. This focuses more on administrative controls in the evaluation process. D: Sales offices tend to be distributed with fewer employees and less risk for safety or environment since they perform more administrative functions. Sales office locations tend to focus more on relationship management than controls validation.
1. Which of the following limitations on acceptable use is appropriate in an organization's policy for end-user devices? a. Policy on sharing mobile device with other users, including family and friends for personal use. b. Technical configuration detailing IT's process for automatically enforcing mobile device application updates. c. Procedures detailing how assets are inventoried and tracked to ensure actions that an organization may take in the event of a lost, stolen, or compromised mobile device. d. Policy on reporting information security incidents in the event of device loss or theft.
Answer A: Securing end user devices is a combination of behavior and technical controls. A policy on sharing the device for non-business purposes is a behavior, and the policy sets out the expectations of what is allowable by the user. The other examples may be included in the organization's information protection program but are technology controls and not based on the use of the device B: The technical configuration itself is how the organization enforces maintaining application security and pushing out the updates, which is typically in IT standards. The policy may include language in reference to consequences to users for bypassing such updates, but that was not one of the options. C: End-user devices should be included in asset management programs. However, those requirements are not based on providing sets of rules to the users on how to use the device. D: The reporting of a lost or stolen device is a separate activity and broader than the rules and expectations for use of a company owned device.
1. What action step is TRUE regarding managing or addressing supply chain risk? a. Interdependencies and linkages should be mapped among all components of both inbound and outbound supply chains. b. Supply chain risk management involves only procurement staff. c. Supply chain risk management only impacts companies in the manufacturing sector. d. Supply chain risk management is only a factor for global companies that deal with import or export.
Answer A: Supply chain risk management requires a strong understanding of the inputs and outputs of the distribution channel. The various partners in the supply chain are interconnected, requiring an understanding of the interactions between entities. B: Supply chain may have originated in procurement to manage the acquisition of tangible goods, but the risks now involve larger business risks and revenue risk with disruption to company operations. Supply chain risk management has evolved as the entire ecosystem of entities involved in the delivery of services has expanded. C: Supply chain risk can impact any type of company due to its economic impact on people, information, technology, and facilities. Manufacturing companies may have greater dependencies in outbound supply chain if they are unable to deliver products to customers. D: Supply chain risk is not limited to cross-border commerce. Companies can experience supply chain disruption at a local, regional, or geographic level. Supply chain risk can impact any function that impacts the acquisition of goods, services, or resources in order to source products and services at any point in life cycle.
1. Which of the following topics would NOT typically be incorporated into possible remediation areas? a. Financial Issues - Revenue projections, business models, internal financial reporting, costing models, budget thresholds, and constraints b. Operational Issues - Business resiliency, outages, service level agreements, and response times c. Governance Issues - Framework deficiencies, privacy and security policies, organization, communication, awareness, regulatory compliance. d. Technical Issues - Insecure source code, vulnerable technology, disaster recovery, insecure architecture.
Answer A: The focus of the assessment is on the delivery of services to the Outsourcer. Financial measures become a risk if the company is no longer viable, or able to deliver services, which would be identified as an operational gap. The internal financial performance measures of the vendor are not relevant metrics unless the vendor is unable to meet contractual obligations. B: The importance of operational issues is based on the type of service that was outsourced. If a vendor does not have sufficient controls for managing operations, there may be an impact to service delivery. C: Third Party assessments are not just focused on Information Technology risk. Operational risk or compliance risks are part of the assessment. How an organization manages these risks reflects on the potential risk the vendor poses to the Outsourcer. D: Information Technology and use of technology can trigger risks of loss or breach of data. The Outsourcer is accountable for managing that risk.
1. Which of the following is NOT a part of the vendor classification process? a. Conducting a virtual or onsite assessment b. Determining what should be outsourced c. Establishing risk criteria based on the scope of the work d. Developing a third party inventory
Answer A: The structure and design of a TPRM program defines or sets expectations for how third party assessments will be conducted. Vendor classification program requirements should define due diligence techniques appropriate to the risk rating or risk tier of the vendor. Due diligence standards will apply to each risk tier which then determines the type of risk assessment to be performed. If answered B: The definition of pre-outsourcing risk evaluation is a risk process that is a part of the TPRM program. The TPRM program defines the parameters that may trigger the process of evaluating risk before outsourcing. The execution of the process may be included in the overall vendor risk assessment process using requirements based on the slotting of potential vendors to their assigned risk tier in the vendor classification structure. iF answered C: The definition of risk criteria based on the type of services outsourced is an element of TPRM program requirements that is documented in TPRM program policies, standards, and procedures. The structure of the vendor classification creates a risk-based hierarchy for the vendors in the inventory. The risk criteria may change over time based on changes in risk, and updated in the vendor classification structure. If answered D: A third party inventory is an operational control used to assess and determine the scope and scale of the use of third parties. All third parties in the inventory should be risk rated and assigned a vendor classification. The risk factors that determine the classifications are a part of TPRM program policies, standards, and procedures.
1. When evaluating the secure coding practices of a third party vendor, the BEST time for the third party to perform a threat modeling analysis would be: a. Before the application development activities begin b. Prior to contract execution with the third party vendor c. After the application vulnerability test is completed d. Before production release
Answer A: Threat modeling is an activity to determine the types of risk that could be applicable to an application so that the proper controls can be defined in the SDLC process. B: Application development may be outsourced. The contract defines the roles and responsibilities for each party. Threat modeling occurs outside of the contract parameters and is a risk function that changes due to changes in the environment. C: Threat modeling is not a function that is an output of a penetration test or security test. Threat modeling is used to define the controls which are later tested. D: Application security controls should be defined and approved in the design phase and included in SDLC processes before production release.
1. Which of the following is not considered a best practice in managing ongoing security awareness training? a. Security awareness programs should include testing components to measure effectiveness of security training. b. Security awareness programs do not need to be updated frequently unless policies change since employees may get fatigue with training on repetitive topics. c. Security awareness programs should include regular reinforcement and ongoing measurements to enhance knowledge and understanding by employees. d. Awareness programs should incorporate periodic and formal acknowledgement of employee responsibilities for security, including the potential consequences for violations.
Answer B: Awareness programs serve as reminders and enforcement of expected behaviors. As new threats or vulnerabilities are identified, training and awareness campaigns should be updated to reflect how to address the risks. A: Awareness programs should use knowledge or competency checks to confirm understanding. Awareness programs include behavior tests like phishing to measure the effectiveness of the company's policies and procedures. C: Awareness programs should require and track attendance, including collection of metrics to report on topic specific campaigns. D: Policies are only effective if they are communicated, understood, and framed in ways that employees understand what rules they need to follow and the consequences if they violate the policies with their actions.
1. You are a Third Party risk analyst conducting a review of your TPRM program. When quantifying the actual resource requirements to operate your program, which metric is LEAST important in assessing whether your current resources can achieve your program goals? a. The resources you need to perform control assessments based on your policies b. The dollar amount of your budget c. The number of people you need to manage corrective action plans d. The number of people you need to interpret vendor responses
Answer B: Budget allocation may be a limiting factor in how third party risk is scaled. A common mistake in TPRM programs is that policies are creating expectations that cannot be achieved by current resources. TPRM program metrics can be used to convey gaps in resources. The budget needs to align with program goals and objectives. If answered A: TPRM programs should assess the number and type of assessments needed to address due diligence for each tier based on the frequency in TPRM policies. Metrics can be used to align or confirm that resources are adequate to achieve the goals stated in the policies. If answered C: Managing third party assessments is not just about conducting the controls evaluation. Findings, corrective actions, and remediation are managed for typically months after an assessment. Resources need to account for each phase of the assessment lifecycle. Metrics can be used to define resource allocation for each phase. If answered D: An assessor may conduct the assessment to identify control gaps, and report the findings to analysts in the TPRM program. The findings are evaluated, and recommended courses of action are approved by the business and then negotiated into a corrective action plan. Metrics can be used to define resource allocation based on the types of resources needed to interpret responses and make judgements on the recommendations to the business.
1. In which phase of the third party risk assessment process would the assessor conduct discovery interviews and review compliance artifacts? a. Assessment planning and preparation b. Assessment execution and communication c. Post-assessment reporting and remediation d. Periodic and real-time monitoring
Answer B: Conducting interviews with subject matter experts and reviewing compliance artifacts are methods of due diligence in a third party risk assessment. A: The planning phase may trigger the topics or types of due diligence to be used. The actual execution is part of the engagement activities. How the interviews and compliance artifacts are reviewed are based on the type of assessment (e.g. onsite or virtual) and the number of assessors involved in the controls evaluation. C: By this phase due diligence has been completed, assessment results are being analyzed, and findings are being identified and risk rated. D: Monitoring functions are a post-assessment function. The cadence and level of monitoring may be influenced by assessment results, but are not a part of the upfront or cyclical due diligence defined by the vendor's risk tier and the organizations due diligence standards.
1. Based on the TPRM lifecycle, when are specific contract terms or obligations triggered between parties? a. At the time of the request for proposal b. In all phases, from vendor selection to on-boarding, then through on-going operations to off-boarding c. Only upon exit or termination when the return of data is required d. Only when the initial contract is executed
Answer B: Contract terms or obligations may be identified, defined, or triggered at any phase in establishing a contractual relationship with a Third Party vendor. Contract management is an ongoing process and leverages contract management systems for each phase of establishing, maintaining, and exiting the contract. If answered A: The RFP may include requirements to exclude vendors who could not meet contractual expectations. But the RFP acts as an input to selecting the vendor that, after selection, will require contracts to be executed. If answered C: Contract provisions are triggered based on the type of exit or termination. However, that is too narrow a focus for Third Party risk mitigation. There may be ongoing changes to contractual terms throughout the timeframe of the contract between parties. If answered D: The initial contract sets the baseline and the parameters for updates. New contract requirements and issues can be identified based on changes in service, changes in policy, or even regulations. These need to be accounted for in all phases of the relationship.
1. Which statement is TRUE regarding Corrective Action Plans? a. Corrective action plans are based solely on terms included in the vendor's contract. b. Corrective action plans are agreed to by both parties as part of remediation. c. Correction action plans are defined only by the outsourcer. d. Corrective action plans are only required for critical vendors.
Answer B: Corrective action plans are mutually agreed upon actions to resolve findings. The outsourcer may define what needs to be remediated but the vendor has flexibility in terms of prescriptive actions based on the environment. A: While the contract may list specific obligations that may trigger findings in an assessment, the contract does not define how an organization must resolve the findings. Technical findings can be identified that are outside of contract terms due to the pace of technology change. C: The outsourcer bases its findings from an assessment based on the risk posed to their organization. The finding is risk rated by severity, then a corrective action plan is created to mitigate the finding. The vendor is involved to define the tasks and "how" they will address meeting the control objective. D: Risk can be identified at any tier level. A corrective action plan is created to mitigate or resolve high or medium risk findings. Findings that require remediation are based on the risk and severity of the finding.
1. What is the primary concern in any emergency or business continuity event that affects company or vendor facilities? a. Recovering critical data b. Protection and safety of people c. Testing the plan periodically d. Notifying the insurance company
Answer B: Emergency response and business continuity plans are designed to protect company assets. The first asset is the workers or employees, then the recovery of business operations in a safe working environment. A: Recovering critical data is an important part of disaster recovery programs and is tested in DR exercises. The key to the question is understanding emergency response and business continuity from a location perspective. C: Emergency response and business continuity plans should be documented and tested. In an actual event, the response is based on the impact to people and facilities and a risk triage process to identify action steps. D: Triggering notification to an insurance company is handled after the event has been handled to provide renumeration to expenses or losses incurred.
1. Which list indicates the proper progression of the TPRM lifecycle process to define, identify, assess, monitor, and evaluate third party risk? a. Planning, contract negotiation, due diligence, ongoing monitoring, and termination b. Planning, due diligence, contract negotiation, ongoing monitoring, and termination c. Planning, due diligence, ongoing monitoring, contract negotiation, and termination d. Planning, third party selection, continuous monitoring, termination, and due diligence
Answer B: Initial due diligence is performed prior to third party selection and contract negotiation. Identified items that need to be addressed through due diligence must be addressed in the contract. You can perform monitoring functions once the vendor is onboarded. If answered A: When due diligence is performed after contract negotiation, the organization loses leverage to negotiate the resolution of any findings. If answered C: Ongoing monitoring is a function performed after the relationship is established occurs after onboarding and contract negotiation. If answered D: While due diligence standards may trigger post-exit return of data, due diligence should be performed throughout the lifecycle of the relationship.
1. Which statement is TRUE regarding physical access logs? a. Physical access logs should be kept for no more than 60 days. b. Physical access logs should record both successful and unsuccessful access attempts. c. Physical access logs apply only to server rooms or data centers. d. Physical access logs are not used in cloud hosting facilities.
Answer B: Physical access logs are designed to provide evidence of authorized access and attempts of unauthorized access. Both factors are important to understand the physical security program of a vendor. Significant attempts at unauthorized access is an indicator to conduct further controls evaluation. A: Physical access logs should be retained based on a defined retention schedule that is based on risk, contractual, or regulatory obligations. Certain types of compliance may trigger defined timeframes which should be part of the records retention and destruction policy. C: Physical access logs may trigger a different level of inspection for server or data centers, but physical controls evaluation is not limited to these locations. Physical access logs for perimeter security are part of a defense in depth approach to site inspections. D: Assessing physical access logs in cloud hosting is based on an understanding of the cloud deployment model and service type. Access to specific environments may be covered in external assurance reports instead of being a control evaluated onsite by an assessor.
1. Which factor is the LEAST important consideration for reviewing a service provider's formal Incident Management Program? a. The ability of the service provider to provide notification to its clients b. How the service provider meets its own regulatory obligations c. The required timeframes so that the client can activate its own incident response protocols d. How the service provider receives and handles incident notifications from its subcontractors
Answer B: The focus on evaluating the vendor's incident response controls is to minimize the risk to the outsourcer and its customers. The focus is not on the vendor's internal assets nor its regulatory obligations, but the risk posed by the vendor. A: The focus on reviewing the incident response is to understand the risk of a data breach or unauthorized access to company assets. Clients need to be notified of security and privacy incidents in order to meet customer and regulatory obligations. C: Timeframes for responsiveness to incidents are important since many federal, state, and international laws trigger specific notification parameters. D: Reviewing the vendor's incident response plan should include the mechanisms for how the vendor is notified by its subcontractors. The subcontractor would not notify the outsourcer directly.
1. When evaluating an organization's security policy, which statement reflects the primary attributes to validate? a. Security policies only have to be approved if they are exception to industry standards. b. Security policies should be reviewed on an annual basis. This includes maintenance of the timeframe of review and the names of the approvers, even if no changes have occurred. c. Security policies must be updated on an annual basis to maintain compliance. d. Only exceptions to security policies need to be reviewed during a Third Party risk assessment.
Answer B: The organization should review their policies annually and reflect that review with the timeframe and approvers who confirmed no changes. A: Industry standards may influence the construction of an organization's internal policy. The Outsourcer needs to evaluate the security posture of the vendor to determine the potential information security risk posed by gaps in policies, standards, and procedures. C: Policies may not change significantly year over year, but procedures and standards may require more frequent updates. The objective is that the policy is reviewed and assessed to the environment to determine if a change is needed, including any required communication to employees. D: A review of security policies should include the entire set of policies, including how the vendor manages exceptions. Managing exceptions to a published security policy is a separate process to ensure exceptions are not evergreen since exceptions should have an expiration date or re-approval process.
1. Architecture, firewalls, and connectivity would be considered which function in network security management? a. Defend b. Protect c. Design d. Encrypt
Answer C: Architecture, firewalls, and connectivity are all building components for the design or configuration of systems, applications, and databases. They are part of the blueprint or design of the technical control environment. A: This component of network security management includes responding to external threats or attacks. The controls focus on intrusion detection and prevention; response to a denial of service attack; and prevention of unauthorized wireless. B: This component in network security focuses on controls (encryption, TLS, data loss prevention) to technically secure and safeguard data. It operates within the designed architecture of the control environment. D: Encryption is a type of data protection safeguard that can be done at many levels (device, database, network, interconnectivity). Encryption is a control that is deployed within the control environment.
1. Which statement is not accurate as it relates to background check requirements in Human Resources Security? a. Background check requirements are based on regulatory requirements, company standards, and industry specific standards. b. Background check standards and criteria may be role-based, tailored based on job level, and defined by level of access or authority. c. Background checks are not required for contract workers, but rather only for employees. d. Background check requirements and limitations may differ across international jurisdictions.
Answer C: Background check requirements do apply to both employees or contingent workers. Contractors, temporary workers, or subcontractors may have different levels of requirements based on factors like on-premise access or type of work performed. If answered A: Background checks may be specified in regulations like healthcare and financial services. Certain job functions may require different clearances, so all of these are factors based on the scope of the company. If answered B: A company may have different criteria for background checks based on job function or role. Examples can include workers with direct customer interaction, such as call center workers vs. management executives. Certain jobs may require academic verification while other jobs may not. If answered D: Individual countries may have laws or limitations that impact how background checks are performed. Examples can include notice, consent, or limitations on the types of screening based on privacy requirements.
1. A critical component of an Outsourcer's TPRM program is the risk rating of vendors. The starting point in determining the appropriate classification would be to: a. Review the vendor's responses to the questionnaire provided by the Outsourcer. b. Give a status of any prior findings. c. Determine the risk associated with outsourcing a specific product or service. d. Conduct an on-site or virtual assessment.
Answer C: Determining the risk rating and putting a vendor into a particular risk tier starts with the evaluation of the risk associated with the service. The rating may reflect criticality, cyber risk, or resiliency. If answer A: The type of questionnaire that is sent to a vendor is based on the risk rating since not all vendors need to respond to the same control questions. Reviewing the responses may highlight issues to review in the due diligence process. If answer B: The status of any prior findings is a part of remediation process management after a Third Party assessment has been conducted. An assessor may use prior findings as follow up items in the review, but the findings alone do not define the current risk rating classification of the vendor. If answer D: Conducting an on-site or virtual assessment is an output of the due diligence process defined in the TPRM program. The risk rating or tiering process defines the rules and requirements for when a full assessment is required.
1. Which of the following is the MOST important component of program governance in a TPRM program? a. Communicating defined roles of the program b. Understanding the data classifications in scope for each line of business c. Establishing policies, standards, and procedures based on company risk tolerance d. Establishing metrics for C-Suite and board reporting
Answer C: Policies, standards, and procedures establish the guidelines and framework that the TRPM uses based on the overall corporate strategy. They provide the inputs to the implementation of the program. Policies, standards, and procedures set the foundation that defines the structure and scope of the program. If answered A: Defined roles are important, but the message to be communicated is based on setting expectations for the organization as to what rules and guidance to follow in order to address third party risk. The guidance is based on TPRM policies, standards, and procedures that the company should follow. If answered B: Understanding the data elements or data classification in scope for each line of business is a risk factor that contributes to a vendor's risk rating or risk tier. The requirements for each risk factor, like data, are a part of the TPRM program's policies, standards, and procedures. If answered D: Metrics and management reporting are an output of program execution or implementation of third party risk assessments. Metrics summarize the actions taken based on the number and type of assessments performed.
1. Foundational requirements for a well-defined vendor risk program include all of the following EXCEPT: a. Development of a well-communicated risk appetite, risk posture, risk tolerance, and acceptance and treatment statements. b. Establishment of a comprehensive Third Party inventory that includes vendor risk ratings and classifications. c. The TPRM program should be established and managed solely within the line of business who owns the revenue for the company. d. The TPRM program should include the due diligence standards that define the types of assessments to be performed, including defined triggers and frequency for periodic assessments and continuous monitoring.
Answer C: TPRM is one element in an organization's approach to risk management. Managing the complexity of the relationships of Third Parties requires active involvement of governing boards and executive management to address the emerging landscape and heightened regulatory expectations. All three lines of defense are involved in managing Third Party risk. If answered A: The starting point for a TPRM program is the tone at the top. This sets the framework for how the TPRM will operate. The TPRM program fits within the organization's overall approach to enterprise risk management. If answered B: All risks are not alike, just like all vendors are not alike. The TPRM program should define the policies and governance which include defining a risk tier structure or classification that defines the set of requirements and due diligence standards based on the company's risk posture. If answered D: The level of due diligence is based upon the risk posed to the organization and may change over time. Organizations need to define the internal and external factors that may impact the level of due diligence or timeframe for an updated review.
1. Which statement reflects the best approach for reviewing compliance artifacts and evidence in a Third Party risk assessment? a. If the service provider has provided an external audit report like a SOC 2, then no further Third Party assessment is needed. b. All controls should be tested in a Third Party assessment to provide comprehensive due diligence. c. Obtain documentation and inspect the artifacts for compliance attributes. Document the presence of the controls and identify items that may require testing or sample. Finalize results in a standard report format. d. Findings from previous assessments should not be reviewed as each assessment should be considered a point-in-time review.
Answer C: The best approach is a three step process to obtain, inspect, and report. Assessments do not test or sample all controls but are designed to take a risk-based and objective approach. A: A remote assessment with no further reviews may be appropriate for lower risk vendors based on the organization's due diligence standards. To place reliance on an external report, the report scope, findings, and locations need to be reviewed for how they address the Outsourcer's requirements. Use of a SOC report may reduce the topics and level of further review but will not always replace conducting an assessment. B: Third Party risk assessments are not audits. Information gathering from questionnaires or reports forms the baseline of the environment. Responses are reviewed to identify the critical controls or focus areas that require validation based upon the risk. D: Reviewing prior findings or outstanding remediation items is important to identify trends. Similarly reviewing prior findings in external audit reports can highlight control deficiencies over time.
1. What of the following demonstrates the greatest level of maturity in a TPRM program? a. Using monitoring technologies to mitigate risk b. Using metrics and benchmarking to quantify results c. Having designated accountability for TPRM d. Conducting a periodic independent program evaluation
Answer D: A mature TPRM program includes metrics, monitoring, and governing. Requiring periodic independent evaluation sets a maturity standard that is objectively and independently reviewed. Certain regulated industries require independent reviews in order to ensure management has an objective view of third party risk. IF answered A: Monitoring techniques are used to supplement the results of conducting third party risk assessments. Monitoring may include the use of in-house resources or require use of external software platforms to collect and interpret potential risk events. Defining the use of continuous, periodic, and real-time monitoring are components of mature TPRM programs. IF answered B: Metrics can be used in any TPRM program to provide insight into program operations. You can use metrics and benchmarking to compare your results to those of peers or different industries in order to provide a greater level of insight into improvement areas. IF answered C: Program governance is a part of any TPRM program and may be a designated individual or a formalized governing body. TPRM may be included in an ERM program. The more mature the TPRM program, the greater the accountability at all three lines of defense for TPRM policies, standards, and procedures.
1. A complete and accurate vendor inventory is a vital component of every TPRM program and a prerequisite for conducting vendor assessments. Which of the following is NOT a critical component of that vendor inventory? a. Type of data accessed b. Service availability requirements c. Type of systems accessed d. Annual spend
Answer D: Annual spend is a factor in supply chain management to monitor thresholds or pricing metrics for comparison to alternative suppliers. Annual spend may leverage contract terms negotiation. However, it is not the primary risk factor that triggers requirements for assessing the strategic, operational, cybersecurity, privacy, or regulatory risk the vendor poses to the company If answer A: The type of data accessed has a direct correlation to the level of risk posed by the vendor. Data classifications that include personally identifiable information (PII) require more stringent oversight due to data protection regulations. If Answer B: A key factor in classification and assessments is the criticality of the vendor's services to the Outsourcer's organization. Service delivery requirements may impact both the overall risk rating of the vendor and the scoping of the actual assessment. If Answer C: The type and level of systems accessed has an impact to the risk tier and inventory. If the vendor has network connectivity or application access to the Outsourcer's environment, those factors increase the potential risks. Enabling system access may trigger additional reviews of network, server, and application security.
1. A Business Impact Analysis (BIA) documents and prioritizes a business's critical processes, associated systems, and the effect a disruption may have on the business. The BIA process is typically performed: a. Weekly b. Monthly c. Quarterly d. Annually
Answer D: Correct: A BIA is a formalized process to document the organization's environment. It is updated as technology changes, regulations change, or due to occurrence of outside events. It forms the basis of the company's overall approach to business resiliency. A: A BIA is not about tracking operational metrics, but is an analysis of the processes and systems that could impact the company in face of disruption. B: Organizations may be monitoring business continuity risks monthly to identify trends or patterns based on events. These metrics may be included in the overall update to the formal BIA which then is assessed and defines changes to the organization's response programs. C: An organization may conduct a quarterly table-top or test of program components, but the BIA would not change significantly quarter by quarter. These events may provide inputs to the update of the BIA.
1. Which of the following is NOT considered to be a first layer of defense to prevent unauthorized physical access to the organization's physical premises, systems, and information? a. Building monitoring and intrusion alarms b. Personnel access controls c. Security guards d. Firewalls
Answer D: Firewalls are part of an information technology perimeter control. They are not used in the physical security of a building. A: Monitoring and alarms are perimeter controls that provide alerts to unauthorized access or entry to the premises. B: Badges, PIN codes, and biometrics can authorize employee or contractor personnel for access to a facility. C: Security guards are typically stationed at the exterior of the building or at the interior of very sensitive locations. The use of guards is to protect the onsite security of personnel, visitors, and facility assets.
1. Which statement best describes the concept of "scoping" when planning to conduct a Third Party risk assessment? a. When services and products provided by Third Parties change and result in increased risks, a reassessment should be conducted. b. Vendor risk tiers should be based upon predefined criteria and applied consistently. c. All issues identified during the assessment should map back to security control requirements. d. Scoping is the process an Outsourcer uses to configure a Third Party risk assessment based upon the risk the vendor presents to the organization.
Answer D: Scoping risk factors may include risk criteria like data, system access, or availability. Scoping is a process to review, assess, and configure the Third Party assessment topics to address the identified risks. A: Ongoing monitoring functions define the triggers or events that may require re-assessment. These factors may trigger a new assessment to be scoped. B: Vendor risk tiers or classification set out a framework for expectations in due diligence standards. However, the scope of the actual assessment is focused on specific topics, locations, or services based on identified risks. C: Mapping findings back to control requirements is a process in risk identification based on the results of the Third Party assessment and controls validation.
1. Which of the following is the MOST effective sequence to test an entire facility when conducting a physical security review? a. Test restricted interior areas first. b. Test public areas of the building last. c. Test only the exterior areas of the building. d. Start on the outside of the building and work inward.
Answer D: The Defense in Depth security approach focuses on the outside perimeter first, followed by the interior or more secured access areas of the facility. The focus in on preventing unauthorized access to the building and then securing the interior workspaces and areas that host technology. A: Testing interior areas first does not enable a full physical security review of the facility. Weaknesses in exterior perimeter controls may impact what and how to test the interior rooms, so the exterior should be tested first. B: Testing public areas is the last component, since the controls review is looking at a limited set of controls applicable to such spaces. However, the question is risk-based, and greater risk from external factors comes from the exterior building controls which is more important in risk based due diligence. C: Testing only the exterior is not sufficient enough to gain assurance on the potential risk of loss of data. Interior workspaces and technology can trigger a loss of data, unauthorized access, or disclosure of confidential data. Testing a facility requires an outside in approach to confirm physical security controls of the entire environment.
1. A comprehensive third party risk assessment process should include all of the following, EXCEPT: a. Criteria for risk scoping b. Risk evaluation criteria c. Required controls based on vendor classification d. Threat modeling scenarios
Answer D: The third party risk assessment process is defined by the risk posed by the vendor to the outsourcer. This is based on the services being outsourced. Threat modeling is an activity to determine the types of risk that could be applicable to an application so that the proper controls can be defined in the Software Development Life Cycle (SDLC) process. It is a topic that may be included in a vendor's control evaluation of threat management and cybersecurity functions. A: Criteria for risk scoping may include factors like data, availability, system access, remote access, or criticality. The scoping of the assessments narrows the specific control topics. B: The use of risk evaluation criteria is part of the due diligence process for the outsourcer to analyze assessment results and compare the results to the expected controls defined in the TPRM program's policies, standards, and procedures. C: The third party risk assessment process incorporates specific control evaluation activities required by contract obligations or due diligence standards based on the nature of the services. Vendors in different risk tiers will be assessed differently in order for the outsourcer to gain assurance.
1. The purpose of a risk assessment is to determine which of the following the following: a. Ensure that the vendor is meeting its contractual obligations. b. Evaluate the compliance obligations of the vendor. c. Determine the scope of the business relationship with the vendor. d. Identify the inherent and residual risk that exists by doing business with the third party.
Answer D: This is the primary objective or the "why" you conduct an assessment. The other alternatives provide methods or tactics used in the assessment, but are the means to the goal. T A: Conducting a contractual review may be done as a separate monitoring event. After an assessment is completed, the findings or gaps may be compared to the contract terms for prioritization or corrective action. B: Conducting a compliance review may be done as a separate monitoring event. A compliance review is an output task after gaps have been identified in the assessment. C: Determining the scope of the business relationship may be a step in scoping a review or assessment. The type of services and relationship may trigger "what" is to be assessed.
1. A physical security program should provide appropriate facilities and building perimeter security, including but not limited to: a. Access-controlled ingress and egress points, door alarms, CCTV systems, and mold detectors b. Access-controlled ingress and egress points, temporary door jams, CCTV systems, and motion detectors. c. Access-controlled ingress and egress points, door alarms, UPS systems, and motion detectors. d. Access-controlled ingress and egress points, security guards, door alarms, CCTV systems, and motion detectors.
Answer D: This list focused on the elements of a physical security inspection that would address the perimeter of the building. A: Mold detectors are an environmental control, typically in secure rooms like server rooms or datacenters. They do not function to protect the entrance or exit of the building. B: A door jam is an example of an employee bypassing a stated security control, and shows a gap in behavior, not a structural element of perimeter security. C: While an Uninterrupted Power Supply (UPS) may be a component of a physical and environmental security program, its primary function is not about preventing intrusion or unauthorized access to the facility itself.
1. Your company outsources services that require the vendor to store customer data. The vendor uses subcontractors to provide its services. Which statement BEST describes how to address this risk? a. The company may perform an audit of the vendors control environment if an NDA is in place with the subcontractor. b. The company always has the right to audit the subcontractor as long as the subcontractor has access to or stores company data. c. The subcontractor must provide the company the right to audit. d. The company should inspect the vendors TPRM program and require evidence of its due diligence of the control environment.
Answer D: Unless stated in the contract with the third party, the subcontractor is under no obligation to directly provide information or assessment access to the company. The vendor is accountable to its clients, and the company needs to assess the vendors' TPRM program. A: An NDA may enable the subcontractor to disclose an external audit report (e.g., SOC report). However, this is not sufficient enough to enable direct audit rights. There is not a contractual relationship between parties to affirm obligations. B: Access or processing of data triggers the obligation of the outsourcing to gain assurance of the controls in place by their direct vendor. Access or processing of certain types of data may trigger the need for the third party to extend contractual obligations (e.g., business associate agreement, data processing agreement, standard contractual clauses). However, the focus is on the negotiation of audit rights directly between the outsourcer and the third party vendor. C: The subcontractor must enable their client (the vendor) to audit their operations. The subcontractor should be included in the vendor's overall TPRM Program to conduct assessments and apply contractual controls to the relationship.
1. An asset management program would fall under which of the following third party risk control domain categories? a. Governance and risk management b. Cybersecurity incident and threat management c. Information protection d. IT operations and business resilience
Answer D: When conducting a controls evaluation on asset management, the primary focus is on the operational execution of the controls, not the technology architecture and infrastructure of the control environment. Asset management functions are a part of IT operations and focus on the actual devices, servers, and data. A: Governance and risk management focuses on policies, procedures, audit, and the level of assurance required. While an information security policy may define an umbrella policy statement on asset protection, the controls to be evaluated are part of the operational execution. B: Asset management is an internally focused control area that is designed to implement controls on company assets. Cybersecurity and threat management functions focus on external threats to the control environment. C: Information protection controls focus on technology controls like physical security, network security, application security, cloud hosting, and SDLC processes.
1. Which of the following risk mitigation approaches is not a primary indicator when reviewing the maturity of a Third Party's process to manage application risk: a. Reviewing evidence that security gates or reviews are performed prior to deployment of changes to the application b. Assessing the scope and frequency of software security testing c. Dedicating personnel accountable for testing of acquired applications d. Monitoring current versions of anti-virus and malware software
Answer D: While anti-virus and malware may be controls within infrastructure for network and server security, they support the application but are not directly attributed to the security within the application itself. A: Application security requires ongoing assessment and reviews based on changes to the application or the application's infrastructure. Mature organizations will be able to show artifacts that indicate that security reviews were executed prior to deploying changes. B: The depth and breadth of testing and the frequency indicate the maturity of the governance of application security controls. C: Defining accountability testing of commercially acquired applications demonstrate a mature process. For application security, this may include testing the application or the configuration of the application in the company's environment.
Design
Architecture Firewalls Connectivity File Transfers Authorized Traffic
Evidence of a documents SDLC or secure software security development lifecycle (SSDL) include the following:
Artifacts backing up the activities described in the programs that provide some proof that security gates are actually executed The existence of a group dedicated to software security, with explicit accountability for software security in applications being acquired A documented process for fixing security defects Software security testing
Risk-Based Patch Management
As long as there have been computers, workstations, and devices, there have been required patches to operating systems and security settings.
Acknowledgements and Agreements for Device Handling
As part of the end user device on-boarding process, all users should be required to sign a legal agreement which details both the user and organization obligations and rights related to these devices. This agreement should include: A statement detailing user responsibility in ensuring the security of the end user device A statement that the organization's security requirements for organizational systems and data will override the user's personal use A statement specifying the owner of data on the end user device
What are key considerations that I should think about when evaluating my company's corporate compliance program?
Ask yourself the following five questions. Is your program well designed and structured? Is your program executed with positive management intent and purpose? Is your program adequately resourced? Is your program empowered to function and report issues? And finally, can your organization demonstrate that the compliance program is working in practice?
Validate and Update Risk Rating
Assess any changes in data types Update changes in type of services provided New system access or network connectivity Criticality Validate business units served
Modification to Risk Tier
Assessment frequency Type/Depth of the assessment Contractual clauses Regulatory, privacy, information security, technology Business requirements - KPIs, SLAs, etc.
Documentation
Assessors acquire documentation directly from the Third Party and review it to ensure it satisfies the requirements and the Third Party's responses.
Inventory Components
Asset inventory management is a critical component of an organization's data protection controls program. You need to know who has possession of assets at all times. An asset inventory contains an itemized list of current assets. Many organizations will deploy commercial software solutions to manage their asset inventory. Complete inventories typically convey a list of attributes associated with each asset. The inventory may include hardware and software identification, tracking or tagging mechanisms, data, asset owners, classification levels, facilities, connections, and compliance requirements.
Assets
Assets are property (physical, intellectual, system, or other property) that has value to an organization and is owned by the organization. Assets may include, but are not limited to physical locations, IT systems, IT networks, software (both an installed instance and a physical instance), personnel, virtual computing platforms, devices, logically related group of systems, and applications.
Asset Management Program
Assets should have someone responsible for their entire lifecycle Ensure assets are inventoried Ensure assets are properly classified and protected. Define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies Review the location(s) of where the assets and data are being used Ensure proper handling of an asset
5. Assign
Assign responsibility and accountability for ongoing management of risks associated with vendors, including process to determine that accepted risks in outsourced business relationships are aligned with your organization's vendor risk management policy.
Workflow Management
Assignment of tasks SLAs and timelines Status reports
Assurance Portals
Assurance portals provide online access to evidence, SMEs, and documentation. In conjunction, there are strategies for collaboration and communication protocols. These include: Use a consistent methodology for obtaining and retaining artifacts. Update standards for sanitized (redacted) vs. unsanitized proprietary information. Define acceptable criteria for use of virtual data rooms and virtual assessments. Agree upon protocols for web meetings, online collaboration, or portal access to artifacts. Leverage service provider assurance portals and repositories.
Risk Treatment Options
Avoidance of risk Addressing the Risk Transferring the Risk Accepting the Risk Monitoring the Risk
Business Continuity Risk Assessment
BCM is one element of risk structured in an organization's Enterprise Risk Management Program. Operational risk factors are evaluated to determine the possibility of events that could jeopardize critical systems or company operations. Risk is assessed based on likelihood and impact. The level of assessment required should be based on the complexity of the organization and the criticality of its operations.
Written and Accessible Business Continuity Plans (BCPs)
BCPs define the process for triggering the plan, including roles and responsibilities for program execution. Plans should include relocation strategies; communication protocols and procedures for recovery functions; services; and processes. Each plan should define the scope and frequency of testing.
Standards
Background check standards are based on country-specific and regulatory requirements, company standards, and industry-specific standards. These standards and criteria may be role based, or tailored based on job level, level of access, or authority. The frequency of periodic background checks may be based on regulatory obligations. Keep in mind that requirements also extend to non-employee workers. These checks are typically executed by Third Party firms on behalf of the HR department. Changes in job function or level may trigger updates to employee screening practices.
Business Continuity Management (BCM)
Business Continuity Management (BCM) is the process for management to manage and implement resilience, continuity, and response capabilities to safeguard employees, customers, products, and services. The focus is on managing and minimizing disruptions that can interrupt its operations. The level and scale of a BCM program is based on the organization's strategic goals and objectives.
Business Continuity Planning (BCP)
Business Continuity Planning (BCP) and disaster recovery planning define a comprehensive business resumption plan and approach to resuming business during and following a natural or man-made disruption; a large-scale illness; or key employee or supplier issues. Business continuity and disaster recovery plans have linkages to an organization's incident response and crisis communication plans.
Business Change Management Roles
Business change management roles may involve business relationship management and planning. Business owners may sponsor initiatives and have resources involved in testing or implementation. Businesses drive the profit and loss (P&L), but companies require internal controls to prevent inaccuracies or intentional misrepresentation of financial reporting. The governance model for change management provides checks and balances to support the appropriate separation of duties.
Disaster Recovery
Business continuity recognizes the requirement to not only recover and resume technology operations but also critical business processes by end users performing their respective job roles. This is where disaster recovery comes into play, as the process of resuming technical operations at a back-up site while recovering operations at the primary site.
Business Continuity
Business resiliency, or business continuity, is the degree to which an organization's business functions will either continue to operate or may otherwise recover within a pre-determined period of time, despite serious incidents or disasters. The primary concern in any emergency or disruption that affects facilities and infrastructure is the protection and safety of people.
Functional Areas of Operations Management
Businesses need to manage technology and the operating environment using a controlled approach for operating systems, middleware, applications, file systems, and communication protocols. We can break this up into four functional areas, which are configuration management; hardening of systems and applications; use of standard builds; and patch management.
Facility Tours Inspections
Certain categories of Third Parties may require physical security tours of information assets. Manufacturing sites, warehouses, and distribution centers may contain products, data, or physical assets. Facility tours of datacenters or technology centers may be conducted for certain types of services. Facility tours and inspections tend to be narrow in scope but focused on specific physical and environmental controls.
Challenge Access Authentication
Challenge access authentication is where one entity presents a challenge or question, and another entity provides a valid response to be authenticated. Typically, these are questions set by the user. This authentication type can also be "out of wallet," or information about a user not readily available in financial databases. But this has been negatively impacted by the growth in social media. Another commonly used form is CAPTCHA. This is a type of challenge and response test that is used to determine if a user is a human.
Assessing Risk in a Cloud Environment
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The Relationship Between Data Security and Data Privacy
Companies need to enact a data security policy for the sole purpose of ensuring data privacy or the privacy of their consumers' information. More so, companies must ensure data privacy because the information is an asset to the company. A data security policy is simply the means to the desired end, which is data privacy. However, no data security policy can overcome the willing sale or soliciting of the consumer data that was entrusted to an organization.
Privileged Access
Companies need users with specialized levels of technical access, which is required to give these users legitimate access to source code, file systems, and other assets to allow them to upgrade the systems or make other technical changes.
Hardening of Systems and Applications
Companies use a broad set of commercial off-the-shelf (COTS) software for operating systems and technologies. Each organization determines which sets of functionalities or features of a COTS product they will enable. Unnecessary software and services can introduce risk to the environment. When using COTS, organizations need to "harden" the installation and usability to ensure the hardware, software, and services are authorized and properly configured. These steps typically include changing default passwords, disabling unused services, and configuring access controls to first deny all, then granting access back to the minimum necessary for each user.
Communicating Assessment Results
Compensating controls identified by the Third Party that may not have been addressed during the initial review should be reported and included while you "verify" assessments to ensure their results match the "trust" portion of the initial self-assessment findings. Initial and ongoing assessment results should be shared with relevant stakeholders and should provide a level of information and detail that stakeholders require in order to fully understand the implications of specific findings identified through initial or ongoing assessments. Assessment reports should be targeted to specific internal audiences, such as the board of directors, senior management, risk committees, control functions, business owners, and other stakeholders.
What are Compliance Artifacts?
Compliance artifacts are a list of documents, evidence, diagrams, and screen shots for different control areas. These documents are requested in advance of the meeting, and some are reviewed in the assessment based on the level of confidentiality. The titles of the documents will vary across companies being assessed which is why the list has document categories vs. document names.
- Attacks, What you need to know:
Compromised networks provide attackers direct access into your systems, or the systems of a third party - Conduct a review of a Third Party's network security: Network device hardening standards; Intrusion prevention; systems detection
Two Linked Due Diligence Processes: Vendor Risk Assessments
Conduct formalized and repeatable Third Party vendor risk assessments using repeatable processes on determined timelines or events.
Third Party Risk Management Perspectives - Different Points of View: Risk Assessment Process
Conduct formalized and repeatable Third Party vendor risk assessments using repeatable processes.
Table-Top Exercises
Conducting a walk through or table-top process is an effective way to test the roles and responsibilities in a security and privacy incident program. A situation is posed to the team, who do not have prior knowledge of the scenario, and the team discusses how the organization should respond. The table-top approach is a good way to identify process improvements for emerging security and identify enhancements to internal escalation procedures.
Configuration Management
Configuration management is the process to securely maintain the organization's technology by establishing standards for tracking, controlling, and managing system settings. Settings may be stored in a Configuration Management Database (CMDB).
Scope of Program
Consider the following factors for achieving business resilience: Heightened regulatory expectations Physical resilience Cyber resilience Data backup and replication Personnel Third Party service providers Telecommunications Power Change management Communications
Open Items
Contact Third Parties to resolve any open items and to discuss any additional information needed. If there are conflicts, these will have to be validated. If needed, request additional artifacts.
Continuous Monitoring
Continuous Third Party risk monitoring is a risk management approach designed to improve awareness for an organization related to their Third Party risks and potential control weaknesses as those risks emerge. The approach leverages an ongoing process to assess, analyze, and report on security controls and organizational risks on a continual basis. This approach allows an organization to enhance its awareness of cybersecurity, privacy, technology, operational, and strategic Third Party risk exposure. Continuous monitoring is a subset of all monitoring, including ongoing monitoring. Sometimes, continuous monitoring outputs may trigger onsite or virtual assessments.
Strategies to Manage Risk in Third Party Relationships
Contract Templates; Defined Terms; Established Procedures; Due Diligence Obligations; Supporting Evidence
4. Documents for the Assessor
Create and maintain a log of documents used throughout the assessment. This must be completed and returned to the Assessor prior to the assessment. You must identify documents that can be sent to the Assessor in advance. Note any documents that may be viewed while onsite due to confidentiality requirements. Artifacts should be viewed online or via video. Be sure to record document names, attributes, and approval dates for audit purposes. Independent audits or reporting by assessment firms, internal audit departments, and prior assessments can be used to verify that the Third Party self-reported information.
It is important to understand the Third Party's privacy program and privacy management framework used to protect the privacy of personally identifiable information (PII) throughout its lifecycle. Privacy data safeguards include the following:
Creation of accuracy and quality guidelines Limitation of collection Limitation of processing Minimization of PII De-identification of PII Retention, disposal, and transmission controls of PII Sharing, transfer, and disclosure rules of PII
Category: System Access
Criteria: Connectivity: Specific connectivity to Third Party and whether appropriate security controls are needed or present based on scope data and location Remote Access: Requirement for remote access and whether appropriate security controls are needed or present System to System: System access that requires two systems or applications to be configured for data transfer with appropriate security controls and management approvals
Category: Availability
Criteria: Impact on Operations and End Users: Impact on business operations due to availability issue of Third Party, including the ability to continue internal operations, as well as provide services and products to customers Impact on Revenue: Impact on Outsourcer, such as impact to revenue due to an availability issue with the Third Party Impact of Regulatory Compliance: Impact on Outsourcer's ability to maintain compliance with applicable regulatory requirements due to an availability issue with the Third Party
Category: Data
Criteria: Type: Classification of data based on current policy defining scope data that may have varying degrees of security and privacy requirements Location: Where data is accessed or transferred relative to the risk of a specific data classification, as well as any applicable regulations Transmission: How data is moved or migrated as part of services provided; may tie to locations relative to applicable regulations or other factors
Two types within Data Classification
Data Category & Level of Confidentiality
Restricted
Data center, telecom closet
Data Input Validation
Data input validation is the testing of any input supplied by a user or application. The goal of input validation is to prevent improperly formatted data from entering an information system. Input validation attacks occur when an attacker purposefully sends abnormal inputs to confuse a web application. Validation checks that include mitigation for cross site scripting and Structured Query Language (SQL) injections are typical first lines of defense for such attacks.
Key Highlight
Data just might be the most sensitive corporate asset on any device. Any electronic device used to access client data and systems can pose substantial risks if not properly managed. Endpoint device security includes the connection of devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices connected to corporate networks. These can create an attack path for security threats.
Privacy Data Safeguards...
Data safeguards are comprised of the ways an organization collects data, processes or uses data, and how they manage the rules for handling data appropriately. Can each one of you expand on this?
PII De-Identification:
De-identification is a process that we can use to prevent an individual's identity from being revealed or identifiable. Techniques for de-identification may include masking, anonymization, or pseudonymization
Defect Management
Defect management is a process of detecting and fixing bugs, both pre- and post-development. It is common for bugs to appear in the process of software development. This is because software development is quite a complex process. A good defect management process will help to stay ahead of potentially damaging software defects.
Establish a formal governance model and organizational structure to manage THird Party risk within the organization. Consider the following...
Define clear roles and responsibilities. Create a risk management framework to focus the approach. Identify oversight and ownership of programs for board level or executive management reporting. Define processes for program updates based on changes in the internal and external environment.
Types of Roles within Third Party Risk: Third Party Risk Professional
Defines: requirements for third party risk management program structures Conducts: vendor risk identification and analysis to establish assurance and due diligence standards Evaluates: program performance with management reporting and benchmarking Implements: third party risk management processes within the organization
Pre-Assessment & Preparation Activities
Determine Onsite or Virtual Assessment; Confirm Scope of Assessment; Perform Information Gathering; Communicate Assessment Agenda, Requirements and Deliverables
Step 3:
Determine any updates to vendor classification or risk rating due to changes in risk
2. Determine
Determine the business value expected from your outsourced business relationships, based on understanding the range of business risks your organization is willing to assume.
5. Site Visit Agenda
Develop and circulate a specific assessment agenda with a clear scope statement. If there is a specific form listing all the topics and questions the Assessor will cover during the review, the Assessor should send that form along with the agenda. Determine confidentiality protocols for virtual collaboration; and agree upon approvals if the assessor needs to carry a camera or take a video of the physical controls.
Estimate Impact of Downtime
Do not forget to estimate the impact for each level of downtime. This impact could affect your revenue, reputation, and customer satisfaction. You must define requirements for the availability of vendor services and the corresponding impact if services are not available.
The following are TPRM best practices for termination:
Document the termination in a Third Party database (inventory and/or register) and communicate the reasons for termination. Procurement and other business units will have this information available for other existing contracts with the provider and for future reference. If termination was for cause, document the root causes. When termination occurs by contract provision (i.e., reaches the end of the contract term), wind down and document the termination using a pre-defined contractually agreed upon exit process. Ensure there is no service disruption during the winding down period. Recover all Fourth Party subcontractor or licensee data or confirm in writing that secure data destruction has taken place. Ensure that proper notice of termination or non-renewal is sent.
Assessment Breakdown
Each type of assessment utilizes different methods of performing due diligence based on the type of service or Third Party being assessed. The ways the Outsourcer and the Third Party interact varies based on the level of interaction or collaboration. The number of people involved in the assessment may also vary based on the complexity and scope of the engagement. A TPRM program should define the requirements and process elements for each type of assessment.
Practitioner-Level Skills Training
Education is also relevant to the skills gap among TPRM professionals in the changing threat landscape. Sufficient and appropriate resources in the human resources department is needed at the practitioner level. Without these resources, an organization cannot accomplish critical functions, or understand the criticality of these functions and processes for TPRM.
Due Diligence Requirements
Effective TPRM includes policies and standards that define specific requirements for assessments using industry standards and frameworks. Standards-based assessments offer significant advantages over one-off approaches as they are more objective, consistent, and measurable. Minimum standards for vendor due diligence should be set at the enterprise level, and will become your baseline or foundational vendor due diligence requirements. Due diligence requirements incorporate regulatory guidance; corporate requirements; data protection obligations; compliance; and applicable industry standards or specific service requirements.
Patch Management Process
Effective patch management is more than a policy, it requires a formalized process to identify, evaluate, test, and install software fixes in a timely manner. Patch management challenges include: Legacy systems Increased volume of attacks Time to assess impact to applications Mis-configuration of settings
Considerations for evaluating ongoing monitoring effectiveness include the following:
Effectiveness in evaluating your vendor's financial conditions Reliance on external audit reports Ability to evaluate changes in governance, social responsibility, and environmental obligations Effectiveness in reviewing and testing controls Ability to leverage technology enablers for data hygiene or web presence Ability to track applicable filing and certifications of compliance
Protect
Encryption TLS Data Loss Prevention Logging Monitoring
Security Responsibilities: Organizational security includes the definitions of the roles for administrative, technical, and physical controls. Responsibilities include the following:
Ensure adequate protection of information assets. Establish an information security culture. Initiate and review the implementation of data protection functions for security. Clearly define and communicate accountability. Establish, communicate, and maintain policies, standards, procedures, and practices for the security and handling of the organization's information assets. Establish an incident response program. Establish assessment methods and provide a suitable liaison. Monitor capabilities of the controls. Provide adequate resources to support the overall program. Scan for new security threats and mitigation techniques.
Provisions for On-boarding New Hires
Ensure job candidates, both internal and Third Party, are informed of the security roles and responsibilities prior to employment. Ensure that acceptable pre-employment background checks are complete, and that they either meet organizational policy, or approved exceptions if they were obtained before the employment offer was provided. Provide appropriate training or orientation to organizational policy, security, governance, and codes of conduct for all new employees prior to access being granted. New hires should sign or acknowledge their responsibilities for organizational policies which are tracked in the HR personnel systems.
Contract Renewals
Ensure you understand what your "non-negotiables" are. Prior to negotiating the contract, know where you have flexibility. It is important to establish and implement contract management procedures, including: Having a defined process. This includes designated authority levels for approval of contract exceptions based on risk. Having a process to review existing contracts for compliance with current contract standards. Having standards for when to use addendums vs. novation (new contracts). Having requirements for when to use or not use evergreen contracts.
Non-IT Focus Areas for TPRM
Environmental, Social, and Corporate Governance Business Ethics and Corporate Compliance Specific Industry Sector Requirements Trade, Marketing, and Sales Practices
Vendor Classification
Establish criteria for the contract review cycle based on vendor classification. Consider the level of contractual commitments required to address resilience requirements, criticality, and security based on the volume and nature of data processing. You must be able to map your contract terms and conditions to each risk tier in your vendor classification structure.
Exiting Contract Review Procedures
Establish procedures to review existing contracts for compliance based upon changes in the internal and external environment, emerging risks, and specific events. TPRM functions identify the types of events and risk factors that could trigger changes to contract terms.
Contract Termination
Establish standards for contract termination with clearly defined exit strategies. Each type of contract termination may pose different risks to the organization. Contract terms should be written so that terminations for ongoing services are transparent, do not cause visible disruption to consumers, and do not introduce incremental risk.
Forth-Nth Party Management - 4 key points
Evaluate: Evaluate the volume and type of subcontracted activities. Identify: Identify and quantify the geographic location risk. Assess: Assess the organization's ability to manage the oversight of Third, Fourth, and Nth party relationships. Utilize: Utilize Third Party assurance reviews and request evidence of TPRM due diligence on subcontractors.
Executive Management
Executive management and governing boards should regularly undertake independent TPRM program evaluations to provide comprehensive assurance that these programs meet organizational risk requirements.
Sufficient Testing to Verify that Recovery Procedures Support the Objectives
Exercises and tests are used to validate specific attributes of the BCP and the identified recovery strategies. Tests include tasks and activities to implement the plans. Testing plans include policies, defined roles, and responsibilities. They require sufficient personnel to effectively conduct the test and include safeguards to protect data and systems. Test results should be reviewed to determine if goals were met.
External Certifications
External trainings can involve certifications. Certification provides a recognized training protocol that has industry-wide acceptance. This acceptance is in regards to the relevant area in which the certified individual is applying that expertise. Note that most certifications have ongoing educational requirements. A critical component of any certification is ongoing training and a re-certification process that assures that the individual maintains an appropriate level of understanding over time.
Industry Frameworks utilize common principles, just as privacy regulations take those concepts into defined control obligations. Some of those frameworks are:
Fair Information Practices Principles (FIPS) Generally Accepted Privacy Principles (GAPP) Organization for Economic Cooperation and Development (OECD) Trust Services Criteria for Privacy (AICPA) NIST Privacy Framework ISO/IEC 27701 Privacy Information Management Systems (PIMS) APEC Privacy Framework (APEC)
4. Remediation Process Management
Findings and corrective action measures are risk-rated based on the risk posed to the organization and prioritized using defined severity levels. Managing the closure of risks and findings is part of the remediation process.
Level 3: Business Segments
Focus on business and operational risks Number of metrics depends on business-specific requirements Changes driven by risk/return opportunities
Understanding the Definition of Consituent
For human resources security, workers can have different statuses or classifications based on the type of employment. Workers can be full-time employees, part-time, exempt or non-exempt, temporary workers, or contractors. Contractors or consultants can be independently sourced, or sourced through firms. The role and function for who performs pre-employment screening will vary based on the type of work arrangement. For TPRM it is important to understand the distinctions of how the organization addresses HR requirements to all groups of workers.
When assessing vendors or service providers, location and collaboration factors must be taken into account..
For location, it could be single or multiple, and also different types of facilities such as call center, data center, manufacturing, or sales. Collaboration factors define how each party communicates and shares information during an assessment. Collaboration may be in-person, teleconference, recorded content, or within an online data room.
Program factors can include:
Frequency Scope of review Depth and breadth Level of automation Outside information sources Information sharing
The Expedite Travel team is reviewing their due diligence standards to address changes to the types of assessments they perform for each category in their vendor classification structure.
Given the global nature of their operations, they need to consider their staffing needs and assessment logistics. They have been experiencing challenges in completing all the assessments and managing remediation as new third party risks are emerging. They have also been experiencing an uptick in changes to their vendor portfolio due to M&A, financial challenges, and changes in key vendor personnel. The TPRM team has set up a meeting to assess the business case of deploying software to improve the monitoring efforts of their vendor portfolio. This case study incorporates all three components of the fourth training course. The TPRM team needed to understand the steps needed to plan and prepare for assessments; how to execute assessments; and how to manage post-assessment remediation and reporting. Managing a third party is an iterative process and can be based on changes in the internal and external environment. Risk can occur from any classification of third party.
Cloud Computing Stack
Hardware - IaaS Operating Systems - IaaS - PaaS Middleware - PaaS - SaaS Applications - SaaS
Contract Review Cycle
Have a formalized process by which contracts are periodically reviewed to assure that the terms and conditions (including SLAs) remain current and relevant to the organization's present standards and expectations.
Contract Templates
Have a standardized set of clauses. These are usually designed for a specific setting, product, or service that can be included in a contract for a specific relationship. It also allows a contract to be customized to fit a variety of different relationships.
Identified threats can include:
Hostile cyber or physical attacks Human errors Internal actions by employees Structural failures of company-controlled resources Natural and man-made disasters, accidents, and failures outside of the company's controls.
Administrative Controls
Human Resources BCP Addressing risk with Third Parties Asset management Data classification firewalls Malicious code prevention Outbound filtering Security monitoring
IT Service Management (ITSM)
IT Service Management (ITSM) is a generic umbrella for frameworks, processes, and models that address best practices in managing, supporting, and delivering IT services.
IT Change Management Roles
IT change management roles include managing change within the environment. This includes development, testing, QA, and production. IT functions need to address segregation of duties for changes to networks, systems, databases, and applications based on the environment. Roles need to be defined to review the impact that changes have on security controls. IT functions must be involved in testing the changes, including systems testing, integration testing, functional testing, user acceptance testing, and security testing. IT functions are also accountable to ensure network devices are configured appropriately and validate that new hardware complies with organizational policies and standards.
Centralized Functions
IT management acquires, installs, and maintains technology Provides direct ability to control and monitor technology investment May provide operational efficiencies Business unit managers retain responsibility for enforcing internal controls in their area Use of managed services for security functions
Decentralized Functions
IT management serves in an advisory role in acquisition, installation, and maintenance of technology Often more common in larger or complex organizations May be used to enable faster decisions on IT services to specific departments Business unit managers may play a greater role in ensuring compliance to policies
Infrastructure as a Service (IaaS)
IaaS is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers, and networking components. The service provider owns the equipment and is responsible for housing, running, and maintaining it. EX: Amazon Web Services (AWS), Google Compute Engine
Basic Incident and Issue Management: Process components of incident and issue management include:
Identification of potential compromises Analysis of events Classification of events by incident severity Escalation of events Reporting internally and externally
Evaluate
Identify and analyze results Evaluate risks Conduct periodic TPRM Program benchmarking
- Zero-Trust, What you need to know:
Identify and inventory all network connections with third parties. Assess adequacy of security, regardless of vendor classification. Identify access points and connections that pose risk, including LAN connections to other networks. Include all communication service providers (e.g. ISP, Wifi, cellular). Identify connections between and across systems. Assess all connections with third parties that have remote access to or remote control of your systems
Understand the regulatory jurisdiction or industry sector to identify contractual obligations and types of contracts that may be required. Consider the following:
Identify required contracts, agreements, and provisions based on regulatory jurisdiction. Confirm the industry sector that may require specific contracts (e.g., healthcare, financial services, insurance, manufacturing, retail, consumer packaged goods, asset management). Define the type of agreement for different technology deployment models. Clarify the roles and responsibilities for legal entities involved in the contract. Align and conduct periodically scheduled due diligence of contractual obligations based on vendor classification and type of contract.
Assessment closure meetings provide the opportunity to discuss the assessment, the process, and next steps, including:
Identifying potential findings Reviewing outstanding requests Setting action items Assigning to-dos Setting expectations for draft and final reports Reviewing timelines and processes to create corrective actions Identifying resources to approve remediation
Identity Management
Identity management is a way to provide users access to multiple systems while using only a single point of access and credentials. SSO allows a single authentication credential like a user ID and password, smart card, one-time password token, or a biometric device, to access multiple or different systems within one organization. A federated identity management system provides single access to multiple systems across different enterprises. A disadvantage of federated authentication and SSO setups is that a compromise of the end-user credential provides access to multiple systems.
Scoping
If the assessment of a vendor involves a controls evaluation of increasingly technical and complex systems and applications, the assessment will likely involve more subject matter experts and require inspection of external assurance reports. These factors should be included in the planning process for assessments of critical vendor relationships.
Defined Terms
Implement a process to define the terms, if any, under which vendor outsourcing to Fourth (Nth) Parties (sub-outsourcers) is permissible and standard contract language that reflects those requirements.
Risk Based TPRM Classifications
In TPRM, a "high risk" vendor would be assigned a severity level based on the amount of risk posed to the company. High risk vendors are like higher category hurricanes. Low risk vendors are weak tornados or Category 1 hurricanes. In TPRM, each organization defines in their TPRM policies the attributes that define the potential risk posed by the third party relationship using a formalized scale, measurement, and classification to assign a risk tier to the vendor. Factors like volume of data, criticality to operations, and sensitivity of data create a higher risk tier and a need for preparation and stronger due diligence to address the risk.
Organizations should maintain documented operating procedures and technological controls to ensure the effective management, operation, integrity, security, and availability of their network.
In addition, organizations should maintain an up-to-date network diagram, including all data interfaces for secure data transmissions associated with client data.
Onsite Assessments
In contrast to remote assessments, onsite audits are the most "hands-on" approach to performing assessments, In an onsite assessment, the Outsourcer conducts a phsyical or in-person assessment of the Third Party's risk controls and evironment. They look beyond just the existence of controls and validate that the controls have been implemented and executed properly. Onsite assessments require long range planning to ensure access and that resources will be available. Onsite assessments require participation from mutiliple subject matter experts and may require visits to different locations. The process nromally takes 2 days to a full week based on the depth and breadth of the topics under review. Onsite assessments are often conducted by external resources hired by the Outsourcer. Onsite assessments are typically required for only critical service provider relationships.
Response Framework
Include a response framework that addresses all facilities, systems, and procedures required for maintenance of critical operations. The framework should include the appropriate protocols required by the company and be in accordance with regulatory or legal guidance. Impacts to customers should include alternative solutions for service and support.
Testing Program
Include updated testing programs and procedures to identify new requirements and process improvements.
Governance Structure Updates
Include updates to the overall governance structure and risk assessment so that the organization's policies, procedures, and standards can include requirements and guidance issues by health organizations.
Risk Factors
Incorporate specific risk factors into contract language. Identify how changes in criticality, data classification, geolocation, or cybersecurity can impact risk and the need to update contracts. Ensure topics like insurance, indemnification, liability, and penalties can be adjusted due to a change in risk.
Limit Processing:
Individuals can limit the way our organization can use their data. Individuals can communicate their preferences for use, disclosure, retention, or deletion. Processes need to be implemented to address such access rights by individuals or data subjects. Certain uses of information may require consent from the individual for processing.
Information Assets
Information assets are a body of information, defined and managed as a single unit so it can be understood, shared, protected, and exploited efficiently. Information assets have recognizable and manageable value, risk, content, and lifecycles. It can be looked at as anything that processes data (applications, appliances, databases, operating systems, business applications, etc.)
Employees, contractors, and Third Parties will acknowledge their responsibilities for the following:
Information security Confidentiality Acceptable use Non-Disclosure agreements Non-Compete agreements for certain job roles Code of conduct or ethics Terms of employment
Software Development Lifecycle (SDLC)
Inventory, Risk Prioritization, Define controls and testing, Defect vulnerability management, Define an evergreen process
Due Diligence and Third Party Selection
Involves assessing TPs before making the decision to enter into a contract and conducting assessments and evaluations on each TP. The type of due diligence is directly related to the type of risk that is posed by that TP
Leveraging Sanitized or Abbreviated Artifacts
It is an acceptable practice for service providers being assessed to redact or sanitize compliance artifacts for review by clients. The objective is to provide sufficient evidence of the control environment. Technical configuration, network security, and application security contain proprietary information and can create risk for both the outsourcer and the entity being assessed if the artifacts are not being handled appropriately. When conducting a review of compliance artifacts, the key is to understand the control objective and how the control is met. Each document can be reviewed to identify the appropriate attributes that verify the presence of the controls. For services that are subcontracted, there may be contractual limitations or non-disclosure agreements that limit the sharing of confidential information.
2. Preliminary Meeting
It is beneficial to hold a preliminary kick-off meeting in advance of the assessment. Include internal partners and verify location and visa requirements for any international assessments.
Defining Budget and Resources for TPRM Programs
It is critical to define and communicate realistic budget requirements for operating and maintaining the TPRM Program requirements, policies, and due diligence standards. Let's look at this as a process: Your first order of business is to measure the number of people you need to perform control assessments. Next, you must measure the number of people you need to interpret vendor responses. Finally, you should measure the number of people you need to maintain the program.
Operational Reporting
It is essential to define a process to maintain and communicate periodic reporting for TPRM operational metrics that convey the effectiveness of the program's execution. Operational reporting examples include: Compliance to your vendor management processes and procedures Status of incidents (identification, tracking, resolution, consequences) Escalation protocols for incidents and issues Workflow reporting on task completion within vendor assessments
Identify Impact of Downtime
It is important to identify the impact of downtime on your service delivery. Whether it is 24 hours, three days, or a week, you must establish standards for recovery and resiliency for Third Parties based on the criticality to your operations.
Summarizing Assessment Results and Findings
It is not uncommon for there to be outstanding items following an onsite or virtual assessment. These items should be logged, tracked, and managed in order to complete all the assessment activities. Although Assessors may perform the assessment, they are typically not responsible for risk rating the severity of findings or approving corrective plans. The resolution and management of findings is part of post-assessment activities.
Log Management
Log management is an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). Log management generally covers: Log collection Centralized log aggregation Long-term log storage and retention Log rotation Log analysis (in real-time and in bulk after storage) Log search and reporting.
Common Inventory
Make use of one common inventory, complete with tiered risk ratings across the organization. Ideally, the inventory should be centralized and accessible to everyone within the organization with need-to-know access. Third Parties may have multiple relationships with an Outsourcer, which should be documented to understand the aggregate inherent risk associated with all Third Party relationships.
Two Linked Due Diligence Processes: TPRM Contract Lifecycle
Manage Third Party risk across each phase of the contract lifecycle from selection, onboarding, vendor management, and termination or exit.
Third Party Risk Management Perspectives - Different Points of View: Contract Lifecycle Process
Manage Third Party risk across each phase of the contract lifecycle; including selection, onboarding, vendor management, and termination/exit.
Training & Awareness Program
Management is responsible to ensure that ongoing training and awareness, including testing and competency checks, is applied throughout the employment of all personnel. This includes periodic policy awareness and acknowledgement of their obligations. Training should also be updated when policies change.
Threat Identification Process
Management should have processes to identify and assess threats. Threat knowledge should drive risk assessment and responses. Organizations should have policies and procedures to enable immediate and impactful measure that ensure threats are handled quickly. Threats to an organization can be driven by internal or external factors.
Building Blocks of Compliance
Management should regularly review their requirements and expectations of Third Parties with defined policies and standards that address the following: Regulatory, statutory, and contractual obligations Environmental, social, and corporate governance (ESG) Ethics and business practices Trade, marketing, and selling practices Operational and international compliance Emerging non-IT risks
Risk Governance
Many organizations field an enterprise risk management committee that governs all aspects of risk. This includes using a board, or governing committee approved charter, for Third Party risk. Enterprise risk management committees typically ensure that risk tolerance metrics are actionable at the business unit or department level. Enterprise risk management committees also ensure that risks are monitored effectively, and verify that any risk management concerns are appropriately reported to all levels of management. Small organizations do require a coherent risk management process, though those organizations may not require an elaborate enterprise risk management structure.
Each type of outsourcing presents different factors that contribute to the overall vendor risk rating.
Mission critical activities always require more rigorous due diligence since they represent the highest risk to the company. Once the risks are evaluated the vendor can be slotted into the appropriate risk tier based on their overall rating level. The output of this process will become the input to implementing tiered due diligence.
Mobile Device Management (MDM)
Mobile Device Management (MDM) is an industry term for the administration of mobile devices. This includes smartphones, tablets, laptops, and desktops. MDM is usually implemented with a commercial product that has product-specific management features. It can incorporate safeguards related to, but not limited to, password controls, remote wipe, remote lock, detection of jailbreak devices, and encryption validation. MDM focuses on controlling the entire device and requires that users enroll or register their device and install a service agent.
Periodic Monitoring
Monitoring occurs at specific points in time after an initial Third Party control assessment has been made. Periodic monitoring generally lacks the timeliness and level of granular visibility required for proactive responses to certain issues that continuous monitoring can provide. Improved and more targeted threat intelligence capabilities are making near real-time monitoring an essential component of TPRM programs. Sometimes, continuous monitoring outputs may trigger onsite or virtual assessments.
Network Security
Network security includes all equipment and software used in the movement of data inside and outside of the corporate environment. Networks have typically been defined by secure boundaries into "trusted" and "untrusted" zones, or using the "zero trust" model. You must also factor in Wireless LAN (WLAN), which is a type of network connectivity that enables users to connect to the network remotely without a physical connection via a broadcasted wireless signal.
Third Party Contract Lifecyle - 4 stages
New Relationship Planning Third Party Selection Relationship Management Contract Termination
Analyzing Assessment Results: 3 Key Activities
Open Items; Findings and Actions; Final Report Distribution
Company Laptops
Operating a laptop takes roughly 70 million lines of code. The laptop is functioning but may have a vulnerability that has always been there until it is exploited. A company can manage thousands of laptops. That obviously adds complexity. Managing patches requires decision-making to ensure that the fix does not break functionality. During the entire process, the company is assessing the risk of exposure and what changes need to be made.
Key Impact Areas for Risk Rating Elements
Operational Criticality of processes Concentration Compliance Reputational Financial and Credit Strategic (logical and physical security) Resiliency/Business continuity Transaction Recovery time objectives (internal or external provider availability) Vulnerability to risk
Assessing a Vendor's Resilience
Operational resilience is not simply focused on internal recovery of operations. Operational resilience includes the identification of vendors and external dependencies to company operations. Evaluating availability of a vendor's services requires a risk assessment of their ability to recover their operations without disrupting service delivery to the company. The assessment includes an evaluation of their approach to business continuity management.
Performance Measures
Operations management functions include monitoring the internal environment for performance measures and metrics.
Protection from the Outside: Organizations should take appropriate steps to prevent unauthorized physical access, as well as accidental and intentional damage to the organization's physical premises, systems, and information.
Organizations should also take appropriate steps to protect against failures caused by environmental factors.
Key Highlight
Organizations should appropriately monitor and safely record relevant security events in order to provide alerts of suspicious activity, and to generate evidence.
Plan Testing
Organizations should conduct periodic tests of incident response and incident notification procedures to ensure that plans are kept current, relevant, and align to regulatory or contractual obligations.
Threat Management Program
Organizations should develop procedures for obtaining, monitoring, assessing, and responding to evolving threat and vulnerability information. These components can be structured with formalized components that include leveraging information from resources outside of the organization. Threat monitoring should address indicators of vulnerability, attacks, compromised systems, and suspicious users. Monitoring should encompass the analysis of incoming and outgoing network traffic to identify patterns, suspicious activity, and data exfiltration.
Access Risks
Organizations should ensure control over access to scoped data, information processing systems, and facilities. Without this control, there are a number of potential user risks, including altering, misdirecting, stealing, deleting, or selling data. This is also the risk of data misuse following termination or a change in job role.
Application Security Policies, Standards, and Procedures
Organizations should ensure software security policies, standards, and procedures are implemented and that stakeholders, business owners, and internal governing bodies have a common understanding of business practices and risk management expectations.
Server and Network Security
Organizations should ensure that a formalized process is in place for building, configuring, hardening, and managing target systems
Threat and Vulnerability Management
Organizations should ensure that security threats are managed through the use of both automated and manual scanning tools
Organizational Security
Organizations should establish a management framework that defines the roles and responsibilities of those who are responsible for information security within the organization. This includes the business units and information security functions.
Data Privacy
Organizations should establish and maintain a privacy program and risk management framework to control and manage the protection of client-scoped data.
Human Resources Security
Organizations should establish and maintain formal policies for human resource security, including conducting appropriate and allowable background screening for all constituents. Also, include acknowledgment of the organization's privacy, information security, and risk policies by all constituents and periodic formalized training on these policies, including at the time of hire.
Asset Management
Organizations should implement a formalized Asset Management Program that documents and maintains an inventory of hardware, software, and information assets
Global Workers
Organizations that contract with firms that hire personnel in locations that differ from the organization's country can still be required to conduct background checks. The process and level of information will vary depending on the specific country. Contracts should specify that background checks are conducted where permitted by law and based on country-specific standards. The due diligence process should define the audit procedure for this control based on the specific country location and should focus on auditing that the service provider is meeting their contractual obligations.
Incident vs Issue
Outsourcers must be prepared to address a wide range of incidents and issues that occur during normal business operations. Despite the seeming similarities between "incident" and "issue," there are significant differences between these two terms.
Specific Industry Sector Requirements
Payments, insurance, manufacturing, consumer packaged goods
Spear Phishing
Phishing attacks targeting a specific group or role within a company
Whaling
Phishing attacks targeting an executive in an organization (the CEO, CFO, or any C-Level role)
Phishing Test
Phishing is a technique used by cyber criminals to trick individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication. Phishing attacks may also infect malware or viruses onto the user's device.
Smishing
Phishing method that uses text messaging (SMS) to execute the attack
Search Engine Phishing
Phishing method where hackers work to become the top hit on a search engine search
All personnel working on behalf of the company shall be required to complete training based on internal policies that are appropriate to their job function. This includes:
Physical, technical, and administrative safeguards based on organization's policies Topics of current threats and risks (e.g., phishing, social engineering) Compliance training based on job role or function Device use and security
Types of Roles within Third Party Risk: Third Party Risk Assessor
Plans and Scopes: on-site and virtual risk assessments for a specific third party relationship Conducts: Assessments and testing of the third party's location and control environment Summarizes: assessment results, findings, and remediation actions Performs: discovery and evaluates compliance artifacts
End User Device Policies
Policies and procedures for end user devices should address both company-owned devices and employee-owned devices and include all aspects of the device lifecycle. This includes: Acceptable use policy BYOD policy User responsibilities Technical controls Return of devices
Employee-Owned Devices
Policies for the use of employee-owned devices should be defined with a set of usage and technology standards that meet the organization's information security requirements. The company may require or limit the functions of the device, require agreement to rights and responsibilities, and require the employee to agree to specific terms before the devices are allowed to access the company network.
Human Resources Security Policies
Policies should be approved by management and communicated to employees on a periodic basis in an HR handbook or policy manual. Consider the following: Pre-Employment screening and onboarding Terms and conditions for employment Performance reviews, incentives, and appraisals Policy differences based on country, state, line of business, or jurisdiction. Training and awareness programs Off-Boarding and separation procedures
An effective TPRM program process must include a periodic review or evaluation to identify continuous improvements for each TPRM program component
Policies, Standards and Procedures Organizational Roles and Responsibilities Organizational Structure Regulatory Impacts Training and Awareness Reporting Effectiveness
Three phases of an Assessment Process
Pre-assessment and Preparation, Engagement Activities, and Post-Engagement
Prereqs for a robust Third Party Contract Management process include:
Presence of an effective risk control framework Presence of an effective Contract Management System (CMS) that tracks contract evolution across the lifecycle Strong and experienced legal support structure (internal and external) Relationship owners providing detailed requirements for Statements of Work (SOWs) that are categorized by risk and service type Standard contract templates for Request for Proposals (RFPs), Master Services Agreements (MSAs), Statements of Work (SOWs), and Service Level Agreements (SLAs) Monitoring processes to trigger reviews or updates to contract provisions based on changes in the internal or external environment
Privacy assessments may be called..
Privacy Impact Assessments or Data Protection Impact Assessments .. based on regulatory jurisdiction
PII Sharing and Disclosure:
Privacy regulations may restrict how we share information with Third Parties and for what purposes. Disclosures of personal data to Third Parties, like vendors or service providers, should be clearly communicated in our privacy notices. In some jurisdiction, there are limitation of the transfer or access of personal data across geographic boundaries
Cloud Computing Deployment Models
Private Cloud, Hybrid Cloud, Community Cloud, Public Cloud
Procedures
Procedures are implementation guidelines. They are operational in nature and show you how to do the work. Procedures define or set up the steps to take in order to demonstrate how to implement your policies. They are separate from policies to facilitate updates and revisions over time.
TPRM Program Communication includes the following:
Processes and mechanisms to communicate policies and standards across the organization Ongoing education program for vendor risk management policies, standards, and procedures Defined roles to maintain policies, standards, and procedures Defined and documented roles and responsibilities for key functions that manage sourcing, procurement, legal, and risk Defined schedules for TPRM program documentation review and approval Defined roles for exception handling
Procurement
Procurement is an organizational function that focuses on the direct acquisition of goods and services from an external source. Procurement team functions focus on finding suppliers and agreeing to terms, often using a tendering or competitive bidding process.
TPRM Risk Reporting
Program metrics Issues and findings Approvals and exceptions
Board of Directors
Program status Audit/Risk committee Risk tracking
Role-Based Access
Properly implemented access controls provide "role-based access." With this, only the necessary access for a specific job or job function is granted. Many organizations will group particular jobs into a group or profile to standardize access for each role.
Real-Time Monitoring
Real-time (data) monitoring or near-real time, requires the delivery of continuously updated information streaming to the organization in near real-time at zero or low latency. This level of monitoring uses applications and tools to collect snapshots of relevant risk information and enable trending, forecasting, alerts and response time to significant events. Real-time monitoring is a type of monitoring typically used in threat intelligence processes. Threat intelligence processes yield aggregated information from outside sources that has been transformed, analyzed, interpreted, and enriched to provide the necessary content for decision-making.
7. Reconfirmation
Reconfirm visit, agenda, and attendees prior to engagement date.
Defining and Managing Escalation Processes
Remediation plans may need to be managed over time. For diverse service providers, there may be multiple annual third party risk assessments based on the topic or service. Updates to the status and closure of findings should be tracked and monitored by both the outsourcer and the vendor. It is not uncommon that delays in technology deployment may impact committed target dates.
Key Highlight
Remember, "Trust, but Verify". Assess questionnaire responses, verify control information using different types of assessments, and validate controls with standardized testing procedures.
Test and Evaluations
Remember, there are four types of tests and evaluations. These are self-assessments, table-top exercises, scenario planning, and internal and external simulations.
Remote Assessments
Remote assessments can be described as a "Hands-off" approach to performing assessments. In a remote assessment, the Third Party completes a questionnaire designed to provide information about how they develop and maintain the protection of information assets (e.g., data, applications, systems, network, facilities). Assessors acquire documentation directly from the Third Party and review it to ensure their responses satisfy TPRM requirements. Assessors may rely on evidence from external audit reports for validation or independent testing of controls. This is the trust component of an assessment as the Third Party is "self-assessing"their risk controls. This approach is common for lower risk Third Party relationships.
Types of Risks
Reputation, Financial, Technology, Compliance, Regulatory, Nth Party, Geolocation, Fraud, ESG
Assessment Reports: Key Point 2: Review the Management Attestation and Auditor Statements
Review the opinion and any qualifications to identify potential concerns. Examine the controls that were tested to identify those with deviations and impact to the services provided. Review management responses to any testing exceptions. Be on the lookout for consistent types of control weaknesses noted in the review which may indicate a systemic issue.
4 steps in Remediation Planning
Review, Negotiate, Approve, Amend
Reviews
Reviews should place a special emphasis on the evolution of TPRM point-in-time assessment and continuous monitoring tools. Ahead of these reviews, evaluations from the second line of defense (risk and control functions) regarding the current applicability of key risk factors should be provided to the team performing the review. These periodic reviews provide the governing board and executive management with comprehensive assurance that the TPRM program is meeting the risk requirements of the organization and regulators, and that the program is operating efficiently and effectively.
Risk Tiered Assurance Levels
Risk classification triggers a higher level of depth for information gathering and control testing. This level of control testing is based on the risk parameters, priorities, and resources of the Outsourcer. Note that assurance levels may change over time.
Risk Reporting
Risk identification Risk acceptance Approvals and exceptions
Risk Management
Risk management is the analysis, reduction, prevention, mitigation, or remediation of threats, exposures, and vulnerabilities that might put an organization's objectives at risk. Some common methods used to help manage risk include assessing the probability and impact of threats, as well as assessing inherent and residual risk. Risk management also prioritizes the treatment of risk according to objectives defined through a business impact analysis and the organization's risk appetite.
Risk Tolerance
Risk tolerance is defined as a threshold of risk an entity is willing to assume in order to achieve a potential desired result. Tolerance measures organization or stakeholder readiness to bear the risk after risk treatment has been performed. This is done to achieve its objectives. Risk tolerances can be defined with sufficient precision to be translated into actionable metrics or measurements.
Software as a Service (SaaS)
SaaS refers to a cloud-based model of software deployment in which a provider licenses an application to customers for use as a service-on-demand. EX: netflix, office tools (office 365, google docs, Salesforce)
The risk landscape is evolving quickly due to the acceleration of technology and in response to emerging threats. Effective threat management and vulnerability management programs have assessed and defined requirements to address these evolving threats. Elements to consider include the following:
Secure data recovery Ransomware Cybersecurity hygiene Internet of Things (IoT) Artificial intelligence Machine learning
Key Highlight
Security patches should almost always be applied; while enhancement patches should be tested to ensure they do not degrade performance.
Mitigating the risks requires definition and implementation of an access control program. Program components should include the following:
Security requirements in pre-employment screening for IT hiring practices User access program for both physical and logical access Segregation of duties Confidentiality, non-disclosure, and authorized use agreements Training and awareness Processes to verify appropriateness of access Consequences management for non-compliance Periodic independent reviews of the program
Patch Management
Security vulnerabilities may be discovered in operating systems and software applications after deployment. Hackers will exploit these vulnerabilities in targeted attacks. Third party vendors issue patches to fix such vulnerabilities on an ongoing basis. Organizations need to implement patch management systems and software to deploy these updates.
Business Continuity Management Program Components - 10 things that constitute a successful BCM Program
See 10 cards below
It is important to understand if a particular Third Party has instances of "_________" or if certain security functions are outsourced in a "_________" capacity. Identifying how governance is managed within the organization demonstrates their maturity in managing organizational security.
Shadow It; Managed Services
Code Review
Source code review is a manual process for checking the actual source code of a web application for security issues. In some cases, this method is the only way to detect certain security vulnerabilities. This technique is especially leveraged for review on proprietary systems, or development that has been conducted in-house. Source code analysis is an efficient way to identify issues where fail-open control procedures are present or input validation is not being performed.
Collaboration
TPRM is based on a business relationship. Assessments are designed to focus on identifying and mitigating risk
1. Due Diligence Standards
TPRM policies and due diligence standards determine the scope and method of due diligence used to perform the risk assessment. The level of due diligence associated with each activity should be based on factors that include the type of outsourcing, service criticality, and operational resilience considerations.
Review
The Assessee and Outsourcer review any issues or findings to define any remediation, resolution, or monitoring that may be required to meet the Outsourcer's requirements.
Risk Rating Process
The Risk Rating may also be known as the Risk Prioritization Scoring Method or the Risk Ranking. To conduct "Risk Rating" as a process, risk rating is used as a verb. The Risk Rating process means a rank order quantification using a systematic approach that quantifies risk in terms of loss potential, then sequences individual risks to determine the order in which compensating controls should be implemented. When activities are outsourced, this Risk Prioritization Scoring Method also determines how often and how thoroughly Third Party controls and related processes (such as disaster recovery testing) are examined and tested. After the Risk Rating Process is complete, a Third Party is given or assigned a Risk Rating Status that reflects the status of the risk in the Third Party relationship. In this case, Risk Rating is a hierarchical measurement that is obtained through the process of the rank order analysis.
Evaluation Process
The TPRM program evaluation process itself should be examined regularly with a focus on improving both process efficiency and effectiveness. On a periodic basis, it is essential that either the third line of defense (internal audit) or an independent external firm with appropriate knowledge and expertise perform an objective and independent review of the program.
The entire due diligence process should be reviewed and routinely challenged to assure:
The appropriateness of due diligence techniques, including documentation Evaluation of roles and responsibilities of participants, including resource needs The adequacy of reporting metrics and assurance that the process reflects any changes to the mission or operations, resilience factors, and evolving regulatory expectations Shifts in the Outsourcer's overall needs Effectiveness of management reporting on assessments and findings
Regular TPRM evaluations should examine the following aspects of due diligence:
The appropriateness of due diligence techniques, including documentation to ensure they are commensurate with both current and emerging risks The adequacy of reporting metrics The adequacy of management and C-Suite reporting Effectiveness of ongoing monitoring
Normal
The business relationship is no longer necessary, appropriate, or the contract need has ended.
Shadow It or Shared It
The concept of shadow IT or shared IT occurs in an organization when IT devices, services, and software are used inside an organization that are procured outside the user organization's ownership or control and without formalized organizational approval. The flexibility offered by use of cloud providers may enable speed of development. However, a lack of governance in organizational security can foster the acquisition and deployment of technology without approvals and increase the potential for risk exposure. When IT is decentralized and shared, the business is responsible for the risk of adopting shared IT.
Contract Termination
The following are key elements to consider when you are in between the process of contract termination and new relationship planning: § Notification of termination § Exit strategy § Transition agreements § Off-boarding process § Return of assets
It is important for Third Party risk professionals to understand how emerging technologies and risks impact the vendor risk assessment process.
The following key scoping concepts are important when defining your requirements to scope an assessment.
Hybrid Cloud
The hybrid cloud is cloud services that are managed across a blend of external and internal providers. "Cloud bursting" is the term applied when daily needs are met in a private cloud and expanded dynamically as needed into a pre-determined public cloud hybrid use arrangement. Ex: Google Application Suite (Gmail, Google Apps, and Google Drive)
Inbound Supply Chain
The inbound supply chain is the pre-product supply chain where the outsourcer will identify and document all vendors, products, processes, and operations that are part of the Outsourcer's products and services.
Incorporate Metrics into Dashboards and Scorecards
The organization can develop metrics and reporting templates for TPRM program results at an individual assessment. They can also be created at a portfolio view of the risk assessment process' performance. Metrics can be based on volume or work performed, or include data points that demonstrate risk identification and mitigation.
Defined Business Impact Analysis (BIA)
The purpose of a BIA is to identify the potential impact of disruptive events to an organization's operations and processes. The BIA is a tool to identify and assess gaps that would prevent the organization from fulfilling its obligations. The BIA defines recovery priorities and resource dependencies for critical processes.
IT Risk Assessment
The purpose of a risk assessment is to identify gaps or problems that can happen to your information and operations. A risk assessment identifies the risks related to your internal environment. "Findings" are treated as areas of improvement. Risk assessments are a proactive process in risk management. Used to identify any gaps with the controls in place. Identifies areas of opportunity and risk. Identifies risk owners within the business. Assesses the potential impact of the risk. Assesses the likelihood of the risk. Rates the level of the risk. Decides whether the risk needs to be treated, mitigated, or accepted.
Remote Assessments
The remote assessment model has three primary components to assessing Third Party risk. There are questionnaires, documentation, and external assurance reports.
Components
The rules for what types of screening can be performed may vary by regulatory jurisdiction. Optional features may be based on industry (e.g., financial, healthcare, insurance, manufacturing) and must be assessed against applicable laws. Background checks or pre-employment screening components may include: Confirmation of work experience Drug testing (optional and where permitted by law) Verification of academic credentials Review of professional qualifications Certification and license verification Social media Character references Criminal records (if allowed by law) Sanction checks Credit worthiness
- Architecture and Interconnectivity, What you need to know:
The scope is based on network design, complexity, traffic, and number of connections. Risk can occur from misuse, mismanagement, or compromise.
Use of Standard Builds
The use of disparate systems and technology make security controls more difficult to implement and maintain. By creating a set of documented and approved configurations for technology, the organization can apply that same configuration across multiple computers in a controlled manner. Benefits of standard builds include efficiencies in patching and restoring systems.
Separation Procedures
These are assigned responsibilities for performing employment termination or change of employment.
Hostile and Non-Hostile Exits
These are specific requirements and escalation procedures for emergency or immediate terminations.
Audit functions must be independent from the lines of business.
They also may perform both "audits" and "advisory" work. Audit functions will need independent access to report findings and results to executive management and boards of directors.
Questionnaires
Third Parties complete questionnaires designed to provide information about how they develop and maintain the protection of information assets. Information gathering includes data, applications, systems, networks, facilities, and privacy programs.
Risk remediation should be resolved by the _____, while risk mitigation is managed by the _______.
Third Party business It is also important to identify the exceptions and "who" can authorize those exceptions.
Third Party Inventory
Third Party Inventory (in certain jurisdictions referred to as a Third Party Register) is a complete and accurate record of all Third Party providers and services. The inventory is a key requirement of the risk rating process and an important foundational requirement for the execution of a sound assessment process. Inventories provide an up-to-date record of all outsourcing relationships across an organization. The Third Party inventory contains a greater body of detail about each vendor than the Third Party risk register, which is a subset of the larger inventory.
The inventory should detail..
Third Party relationships that involve and support critical activities, as well as identify and track Fourth Parties (subcontractors) and affiliates being used to support the services provided. A complete and accurate inventory is a key requirement of the risk rating process and an important foundational requirement for the execution of a sound vendor risk assessment process.
It is important to understand the starting point and primary drivers for conducting a ...
Third Party risk assessment. These include critical level risks with outsourced products and services; "encouragement" from regulators; incomplete answers from Third Parties; potential loss of proprietary information and the financial impact; the bridging of networks and risks; and visibility of documentation that cannot be shared off-site.
Integrating Assessment Results into your TPRM Program
Third Party risk governance management reporting is the process of sharing assessment results, findings, and actions internally. After an assessment, the Outsourcer can utilize the templates to communicate results. Third Party risk assessment results can be leveraged to update vendor profiles, vendor classification, risk rating, monitoring actions, frequency of re-assessment, and remediation plans.
Enterprise Risk Governance
Third Party risk is just one risk focus area that may be included in an organization's overall approach to Enterprise Risk Management, or ERM for short. Risk assessment and treatment considerations for Third Party risk will incorporate a review of multiple components of the ERM program. When thinking about enterprise risk governance, think about both risk management and risk governance. Think about your IT risk assessment lifecycle and all compliance regulations. Think about the risk acceptance frequency and the TPRM program. And let's not forget service provider agreements and subcontractor oversights and processes.
Information needs to be compiled, analyzed, and monitored to understand all the interdependencies posed by...
Third, Fourth, and Nth Parties.
Incident Communication Management
This concept refers to the activities of an organization to identify, analyze, and correct issues; and to prevent a future re-occurrence. Within structured organizations, these issues are managed, communicated, and corrective action is taken by either an Incident Response Team (IRT) or an Incident Management Team (IMT).
Business Resilience Considerations
This should include an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business resilience planning for the entire business and should be formally documented and approved by senior management.
Technology-based systems and tools may include:
Threat intelligence feeds from external data sources Intrusion detection and prevention systems for networks and hosts End-point visibility tools Data loss prevention tools Log correlation and analysis tools File integrity tools Malware detection tools Network behavior analysis systems
3. Controls Evaluation and Testing
Tiered due diligence processes will identify techniques for controls evaluation and testing. Validation of key controls may be performed by reviewing specific evidence or performing sampling to confirm the implementation of controls.
Network Security Controls Evaluation
Today's virtual and remote work environments rely on wireless technology that require greater scrutiny, controls, and oversight functions. Organizations should implement more complex access controls for such higher risk connections. Network security policies should prohibit the installation of wireless access points without approval, and approvals should be included in the hardware or asset inventory. Encryption should be deployed with an industry-accepted strength based on the risk and type of data being exchanged. To minimize risk, organizations can deploy network access control (NAC) systems to prevent recognition of unauthorized devices. When evaluating the risk of using various data transmission protocols for the transfer of personally identifiable information (PII), care must be taken to include the strength of the encryption cipher and authentication method.
Monitor and Review Functions - define the tools and technologies you need to monitor and measure your programs success, as well as monitor changes in the risk posture of the different types of Third Parties. This include:
Tracking contract compliance Monitoring SLAs Measuring performance Conducting self-assessments or program evaluations Benchmarking Alerts and feeds from outside data points Program updates based on internal or external changes
Building a Business Case for TPRM Staffing Models... a robust business case statement requires:
Understanding the changes in the regulatory landscape Evaluating current staffing skills, certifications, and experience Doing the work of benchmarking TPRM programs Leveraging metrics to quantify the resource needs Effectively communicating the case
Risk Based Impact Ratings
We can use hurricanes and tornados to understand vendor classification and risk ratings. Using monitoring tools, weather experts measure the speed of winds and power of both hurricanes and tornados. Hurricanes may get "names" to communicate their arrival, but also are assigned a category level to convey the risk or potential damage. A Category 1 is considered a lower risk hurricane as compared to a Category 5. Weather experts use standardized criteria to assign the category based upon the hurricane's maximum sustained wind speed. The risk of harm is higher as the category number increases. Tornadoes are categorized on a F1-F5 scale based on the amount of damage that they can cause. Tornado experts use a standardized scale or measure to assign the risk rating of the tornado. Tornado classification assigns a potential harm rating as weak, strong, or violent to convey the type of tornado. The range of wind speed in the tornado can be measured to assign the tornado classification on the 1-5 scale.
Business Lines
We own the risk of the services being outsourced and are the business owners to approve the method of risk treatment
Legal
We provide standard contract templates and authorized clauses. We also review non-standard language to protect the company from risk or liability.
Third Party Risk Committee
We review the status of the portfolio of vendor relationships, and the status of risks, issues, and performance. We receive summary reports from the TPRM team on the status of due diligence and monitoring activities.
PII Minimization:
We should collect and process only the minimum amount of data required to fulfill the obligations stated at the time of collection. We should not use data outside of the parameters provided in our privacy notice
Accuracy and Quality:
We should maintain our data records so that they are up-to-date, complete, and relevant. The goal is to prevent inaccuracies in how our personal information is used. The type of data and specific purpose communicated for the use of the data can demonstrate how our organization addresses the privacy rights of individuals
Limit Collection:
We should only collect personal information in direct relation to the purpose outlined in our privacy notice
PII Retention and Disposal:
We should only retain personal data for as long as necessary to fulfill the stated purpose, or for the period required by law or regulation. Data security requirements for encryption of data at rest of in transit may be specifically required under data protection regulations. Data destruction methods should be performed securely to prevent unauthorized access or disclosure of personal information.
Forecasting and Planning Assessments
When managing assessments, build a forecast and resource allocation model to schedule, plan, and prioritize assessments. You must build a multi-year view that includes new & re-assessments. Adapt business needs based on changes in the landscape and policies. Managers of Third Party assessment programs will likely notice "peaks and valleys" in their re-assessment schedules as they start to plan timeframes for re-assessment. Since most organizations don't assess every Third Party at the same interval, assessments will be spread unevenly over a period of years, based on the risk rating of the outsourced activity, regulatory changes, and changes in the environment.
Vulnerability
When security defects are left un-remediated, they can manifest into vulnerabilities as the application is compiled and migrated to production. This can turn into a major problem for organizations.
Managing Information Assets Throughout their Lifecycle
When thinking about data security and protection, you must also think about when older systems, both hardware and software, need to be replaced.
Assessment Results Reporting: Results Tracking
When tracking results, assessment metrics should be included in dashboards and scorecards. Closure of findings should be monitored and tracked, while remediation planning will define the frequency, audience, and target dates for progress reports. Escalation protocols for non-remediation of findings is based on the risk acceptance criteria and treatment policies at the Outsourcer.
Complete the analysis based on _____ company's risk tolerance
YOUR
Due Diligence
You can define due diligence standards using a risk-based approach based on the risk categorization of the relationship. This includes utilizing existing corporate requirements for IT security and data privacy (as if it was an internal project); regulatory requirements; and industry standards. Decreased due diligence requirements for lower risk categories data; increased due diligence requirements for higher risk data
Assessing Needed Skills and Expertise for the TPRM Program
You must define the resource requirements needed to build and maintain the program. For this, you need the right skills, competencies, experience, and the required and desired certifications.
Asset Inventory Management
You must develop and maintain a formal asset management and classification structure to ensure that information security, data protection, and privacy controls are designed and operated properly. The asset management program should be approved by senior management and communicated to all appropriate personnel.
Preventative Program Components
You must have preventive program components to reduce the likelihood of impact to operations. Processes include monitoring of outbreaks, employee education, communication with critical service providers and suppliers, and providing hygiene training and tools to protect the safety of employees and customers.
3. Documents and Dates
You must request specific documents for review in advance, or gain access to the service provider portal to review artifacts prior to the assessment (e.g., BCP plan, DR test results, security policies, pen test results, code review results, etc.) Set specific dates and times for the assessment.
Incident Response Plan Assurance
You should define and maintain notification procedures for both client and customer notification. Develop plans to test and evaluate the program via self assessments, tests, and an audit. Be sure to monitor external incidents and events to incorporate learnings for process improvement. Think about this, about 3.5 billion people saw their personal data stolen in two of the top 15 biggest breaches of this century. A good incident response plan is needed to handle these situations.
A Risk Assessment Program describes the..
actions, processes, and structures by which management accountability is exercised and decisions are taken and implemented. Let's look at best practices for mature risk management in TPRM.
A third Parties risk environment can be influenced by ...
adding additional Fourth Parties; changes within the Fourth Parties; shifts to the threat landscape; Third Party mergers and acquisitions; changes in location and material processing; and announcements or information that might indicate changes or potential changes to the financial health, risk posture, and resiliency of the organization.
Changing risks, evolving regulatory expectations, increased costs, and lack of experienced resources...
are all challenges that impact TPRM resource needs
Evergreen contracts
are contracts in which both parties have agreed to automatically renew the contract after each maturity period, unless formally terminated under the existing provisions of the contract.
In order to determine the risk posed by a vendor, the outsourcer needs to..
assess the types of risk and risk factors that couple be important to the relationship. Outsourcers should fully understand the inherent risks presented by outsourced operations, both at a service specific level and in the aggregate
When thinking about BCM, remember that the definition of the program will include...
clearly defined expectations and board and senior management responsibilities; alignment to the overall risk appetite; defined levels of continuity that are consistent with criticality; competent management; and adequate resources to implement the program.
Outsourcers should have a ....
coherent, coordinated, consistent process for both incident and issue management. This approach requires well-defined and regularly tested procedures for escalation, reporting, notification, and resolution. Incident and issue management planning and training should follow predefined policies, processes, and procedures throughout the incident and issue management lifecycles.
During the Assessment, the Risk Assessor will ...
conduct interviews with subject matter experts (SMEs) at the Third Party location or via teleconference for remote attendees. The Risk Assessor should recognize the difference between a SME and a control owner. During the assessment, the Risk Assessor should clarify roles for participation and confirm any subcontractors' SME participation protocols.
Privacy
controls focus on the context of the data, including collection and use. Remember that what is critical is the appropriate or authorized use of the data.
A Third Party should have an internal audit, risk management, or compliance function responsible for identifying and tracking resolution of compliance issues. Keep the following in mind when thinking about audits: ...
corporate policies, legal obligations, regulatory requirements, industry requirements, and contractual obligations.
Organizations should implement a formalized asset management program that includes a ...
data classification process, which is a process for documenting and maintaining an inventory of hardware, software, information assets, and connections. The documentation relevant to each asset should include an organizational owner who is responsible for the asset throughout its life cycle.
When we say Operations Management, we are talking about the..
day to day running of the IT and security infrastructure
Cybersecurity incident management involves not only...., but ..... and ....
detection; response and communication
The organizational function that identifies the need to outsource an activity should......
determine the inherent risk associated with performing that activity. The inherent risks identified will then determine the type and level of due diligence and control validation to be performed to mitigate the risks associated with the activity.
Risk assessments provide insight into management's commitment to..
governance and the ability to make risk-based decisions Effective risk governance should provide the operating model and decision-making framework needed to identify and respond to risks. Risk governance starts with ongoing processes to identify, assess, manage, and communicate risk, including the approaches for risk treatment.
Mobile Application Management (MAM)
is an industry term that describes software and services responsible for provisioning and controlling access to internally developed and commercially available mobile apps used in business settings. MAM applies to both company-provided or "Bring Your Own Device" for smartphones and tablets. MAM provides granular controls at the application level to enable system administrators to manage and secure applications or application data.
Governance and risk management are structured by..
key risk control focus areas that incorporate the polices, standards, and procedures that organizations establish based upon their operating model and overall approach to risk. Each of these risk topics may be structured into formalized compliance programs based on the maturity of the organization.
When conducting a Third Party assessment, a critical component in the scoping of the vendor relationship is the....
knowledge of types of personal data or personal information (PI) that is relevant for the types of services provided.
Some organizations adopt the Control Objectives for Information and Related Technologies (COBIT) framework to ..
leverage its control objectives, metrics, and maturity models. COBIT has recently aligned its naming conventions for certain control objectives to established ITSM process names. From an international perspective ISO/IEC 2000 is an international standard for managing and delivering IT services.
Understanding Supply Chain Risk Management: The supply chain is a ...
linked set of resources and processes among multiple tiers of organizations that acquire goods, services, or resources. This is done in order to source products and services and extend their life cycle. There are different perspectives for looking at a supply chain.
Security Operations Team Function
may be centralized, distributed, or outsourced these functions need to be appropriately staffed and supplied with sufficient technology for incident detection and response activities
Specialized Assessments
may be focused on very granular sets of needs or requirements. Certain regulations may require a "deep dive" on unique compliance obligations. A specialized assessment in a focused area of regulatory compliance is more like an audit. This category of assessment is used only for a subset of Third Party relationships.
The contractual relationship between parties..
may provide specific obligations, recourse, or timeframes for the resolution of findings and issues. Failure to cure or resolve significant findings may trigger penalties and can lead to contract termination.
Resiliency requires focus in ....
multiple areas when integrating business continuity and disaster recovery approaches into an overall BCM Program.
Questions for Securing Devices: When considering how an organization manages device security, consider the following:
o 1. Are all assets inventoried with ID or tracking capabilities? o 2. Are stolen assets reported to law enforcement by serial number? o 3. Does the company require security software to be current on all devices? o 4. Can users bypass or override security settings by the company? o 5. Is there an expectation to remove or delete unused applications? o 6. Does the organization require pin code or touch identification to unlock devices? o 7. Are users expected the disable Wi-Fi or bluetooth when not in use? o 8. Does the device require password protected screensaver? o 9. Is data encrypted and backed up?
Defined Program Goals - Clearly defined strategies, goals, and objectives should be established for the TPRM program. Be sure to clearly communicate what the program should do or accomplish in business terms.
o Develop: Develop a communication plan to tell the vendor risk "story" internally. o Demonstrate: Demonstrate alignment of effective vendor risk controls to enable the organization to achieve its strategic objectives. o Set: Set realistic expectations for risk management. o Identify: Identify internal links to other stakeholder groups, policies, or processes. o Assess and Validate: Assess and validate that you have sufficient resources to achieve the goals set in the policy. o Measure: Measure program elements for each phase of the Third Party lifecycle.
Policies, standards, and procedures for TPRM programs incorporate requirements across multiple Third Party risk disciplines in order to achieve the objectives outlined in the Program Governance model. The requirements of policies, standards, and procedures include the following:
o Inventory requirements o Due diligence standards o Vendor classification o Assessment frequency o Findings and corrective action criteria o Corporate requirements o Contract management o Vendor management o Termination or exit
Emerging risks include
o Legal threats and regulatory actions o Evolving regulatory and compliance landscape o Data events at vendor locations o Reputational Risks o Financial Stability o Emerging technology and innovation (5G, IoT, AI, etc) o Sophistication in cyber-attacks, including nation-state attacks o Uptick in geopolitical risk; threat of industrial espionage and sabotage o Increasing environmental (climate, pollution) risks o Threat of pandemics
Control areas for cloud environments include:
o Multi-Tenancy o Concentration risk o Agile delivery o Virtualization and containerization o Cloud providers and locations o Legal and privacy o Roles and responsibilities o Identity and log management o Application security o Vendor governance and interdependence o Data retention, management, recovery, and destruction o E-Discovery and forensics
Example metrics include
o Planned vs actual assessments performed o Number of vendors by risk tier o Red/Yellow/Green status for each vendor and risk tier o Total number of high-risk subcontractors o Contract review metrics o Year-over-year comparisons o Average timelines for remediation or risk closures o Risk identification and mitigation trends o Number of Business Impact Analysis (BIA) in place with regular updates o Contingencies due to the past 30/60/90/>120 days o Number of regulatory reports with findings o Certifications required (e.g., ISO, PCI, etc.) o Number of documented data breaches o Number of cyber incidents with business impact
The Institute of Internal Auditors based the updated Three Lines Model upon six foundational principles:
o Principle 1: Governance of an organization requires appropriate structures and processes that enable accountability, action, and assurance o Principle 2: Governing body roles ensure appropriate structure and processes are in place for effective governance o Principle 3: Management's responsibility to achieve organizational objectives comprises both first- and second-line roles. First-line roles are most directly aligned with the delivery of products and services to clients of the organization and include the roles of support functions. Second-line roles provide assistance with managing risk. o Principle 4: In its third-line role, internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It may consider assurance from other internal and external providers. o Principle 5: Internal audit's independence from the responsibilities of management is critical to its objectivity, authority, and credibility. o Principle 6: All roles working collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders.
Process components may incorporate:
o Re-certification and questionnaire response updates o Tracking Key Service Level Agreements (SLAs) and contract provisions o Validating the financial condition of the service provider using data feeds o Using software solutions to scan the cyber-hygiene of the vendor o Leveraging software and technology to provide alerts and analysis o Evaluating the general control environment of the Third Party through the receipt and review of audit reports and other internal control reviews
Within contract management, changes to the threat landscape and regulatory expectations are causing greater focus on the following areas:
o Right to audit, assess, and monitor o Material changes to Fourth (Nth) Parties /sub-outsourcer relationships o Risks surrounding emerging technologies (IoT, AI, 5G, Robotics, etc. o Geopolitical, environmental, pandemic, and other infrastructure risks o Recovery and backup requirements for business functions o Insurance coverage related to Third Party business resilience o Establishment and renewal of evergreen contracts o Mergers and acquisitions (M&A) activities
Both functions work together while procurement is more focused on the __________ . Strategic sourcing team members take a more ________ to manage risk, analyze spend, define the vendor strategy, and qualify suppliers. Strategic sourcing teams will often negotiate and manage contract terms based on predefined contract templates that incorporate company requirements.
operational tasks and activities of fulfillment; strategic approach
In this model, the structure of assessing the physical security of a location starts from the ...
perimeter or external environment of the building, and moves inwards until you reach the center or restricted areas in the building.
TPRM program reviews must include the evaluation of both
periodic assessments and continuous monitoring
Monitoring techniques use a combination of..
periodic, continuous, or real-time monitoring processes
TPRM and Managing Risk. The TPRM process evaluates and compensates for...
potential threats stemming from the use of Third Parties (agents, affiliates, vendors, Fourth Parties, and beyond in some instances) that support an Outsourcer's organization in order to better meet the organization's strategy and business objectives.
it is important that Outsourcers and service providers monitor changes in the regulatory landscape for BOTH ..
privacy and security as changes can impact each function. you can have security without privacy, but you can't have privacy without security. Security controls focus on three concepts called the triad.
Factors that Trigger Changes to Risk Tier or Monitoring: A vendor's assigned risk tier can change based on the...
results of assessments or by changes in the environment. An organization may adjust or make changes to their defined risk tiers based on changes in scope, risk, or updated due diligence standards. These changes can impact where a particular vendor is slotted into the vendor classification hierarchy. The TPRM program should define the types of events that can create a change to risk tiers or monitoring requirements.
An acceptable use policy is a ...
set of rules applied by the owner or manager of a network, website, service, or large computer system that restricts the ways in which the network, website, or system may be used. It may include password management, software licenses, and online intellectual property. It may also include basic interpersonal etiquette, particularly in email and bulletin board conversations. It should also clearly define the sanctions applied if a user violates the policy.
Management reporting may be as basic as capturing and reporting operational metrics, or status of open assessments or findings. Management reporting can be logged in ...
spreadsheets, status reports, or in compliance software programs. TPRM programs for larger, more complex organizations may include the use of formalized risk metrics known as KRIs and KPIs.
When defining and documenting standards for mandatory contract language and provisions, there are a few elements that must be included. This includes...
standard contractual language for required privacy; security; incident response; business continuity; and IT audit, inspection, and continuous monitoring provisions. This would also include organizational requirements for mandatory contract language and provisions, including appropriate performance-based contract provisions (service level agreements, key performance indicators, key risk indicators, etc.) Lastly, include a process to update mandatory provisions based on changes in the threat landscape.
Standards
standards are what you execute. They are how you take action in order to enforce policies. Corporate standards for risk tiers, ratings, and classifications should be established. It is important to consider all relevant regulatory guidelines and industry standards and best practices when setting your own standards. Standards are tangible and specific; you can measure if the particular standard is met. Standards should be separate from policies to facilitate updates and revisions over time. standards should be implemented by comprehensive guidelines and procedures.
Program Governance
starts with aligning TPRM to the organization's risk culture to ensure that the requirements for risk-based vendor management are defined and communicated to the organization. Consider the following when thinking of program governance: Tone at the top Risk posture Risk tolerance Risk management methodology Risk acceptance process Exception approval process
The number of metrics provided for each Level of reporting indicates how granular each level of management would be in defining its criteria for the organization's risk appetite framework. Board level metrics (practitioner and business unit metrics) would be more s________, and executive management would be more _______. Actionable risk tolerance metrics must be included.
strategic; refined and specific
DFDs are used by..
systems analysts to design information systems, and by management to model the flow of data within organizations
- Scalability Risk:
the TP may not be able to support growth or spikes in demand without service failures or decline in performance
Compliance Risk:
the TP may not be in compliance with applicable laws, regulations, or contractual obligations
It is essential that you assess your TPRM process;
the changes impacting your requirements and operational results; and gather information about program performance. In this sense, think of the performance measures; operational metrics; vendor management KPIs and SLAs; risk management metrics; issues and corrective actions; and resource planning.
An overview of the assessment process is needed to clarify the importance of pre-assessment planning and preparation; the proper sequencing of assessment workflow steps; the expectations of each party; and how to best foster ...
the working relationships between the Outsourcer, the Third Party being assessed, and the Assessor.
Effective management reporting provides a..
top-down, bottom-up work product at each of the three levels within an organization.
The risk rating is a model to categorize and structure the associated risks or possible impacts based upon the scope of work or services a third party provides - Risk Rating Factors: Risk ratings drive the level of due diligence and control testing. Let's look at this in 3 parts:
§ Data: Classification; Condidentiality; Availability; Integrity § External: Location; System Access; IT Environment; Availability § Regulations: Product/Service; Business Model; Industry; Fourth/Nth Parties
- Risk Ratings should be based upon the magnitude and probability of the residual risk under consideration - What is the severity level? - 4 Key Points:
§ Third Party risk classifications should be based upon predefined criteria and applied consistently § Update risk rating based on periodic assessments and continuous monitoring § Conduct assessments when provided services change and result in increased risk § Re-evaluate resource allocation when provided services change and result in decreased risk
Robust Program
- A robust TPRM program receives strong partnership from the governing board and the C-suite to ensure that critical resources are available. It should be housed in an integrated, enterprise-wide TPRM environment that provides a single source of truth around risk-related processes and reporting.
Third Party Risk Analyst Perspective
- As a Third Party risk professional, it is important to understand these distinctions and "why" they are important in TPRM. Your role is to define control requirements and assess Third Party relationships to those requirements. You need to be aware of any absent, or failing controls that do not meet your organization's standards. You rely on the Third Party risk assessment process and risk assessors to identify and assess the controls in place to mitigate inherent risk or accept the remaining risks after understanding the vendor's control environment.
Target Residual Risk
- The amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives, knowing that management will implement, or has implemented direct or focused actions to address risk severity.
Differing assessment procedures improve efficiency and effectiveness:
- Virtual, Collaborative, Open House
Data Flow
Access of Personal Data --> Processing of Personal Data --> Storage & Retention of Personal Data
1. Which pandemic influenced trend is LEAST likely to have been a factor in changing due diligence requirements for vendors? a. Ransomware b. Virtual workforce and vendors c. Extended network endpoints d. Rise in monitoring solutions
Answer A: Ransomware as a trend has increased due to shifts in the threat landscape. In an assessment, you may assess a vendor's readiness to respond to an attack, but you would focus on secure data recovery techniques. If answered B: Virtual workers and virtual vendors impacted the type of assessment, method of due diligence, and risk factors like remote access. The shift to virtual assessments was triggered by pandemic limitations. If answered C: Remote workers and remote vendors directly changed the footprint of the environment to be assessed. The shift to virtual work and remote access triggered a focus on a zero-trust methodology. If answered D: The extended endpoints of the enterprise triggered a rise in the use of monitoring solutions for access, activity, and data loss prevention. Monitoring functions can be used internally or for specific third party risk focus areas.
1. Which risk is LEAST likely to result from inadequate due diligence of third parties within the Merger and Acquisition process? a. Financial impact due to lack of contract negotiation for prior seller data loss events b. The potential for malicious code to be introduced through the supply chain by unidentified vendors c. Inherited liability for post-close breach disclosures from third parties d. Attempts to infiltrate the supply chain by tampering with hardware
Answer A: The lack of negotiation on financial impact, liability, or indemnification are risk factors in M&A, but do not directly result from inadequate due diligence of third parties. In M&A, the buyer assesses the controls of the target, but negotiates the financial transaction based on the type of structure that defines liability for prior events. If answered B: Assessment of controls regarding malicious code may be important based on the nature of the company being acquired and the dependency on the use of code and downstream suppliers. M&A due diligence is risk-based and focuses on the nature of the services being acquired and the extent of third party relationships in the supply chain of the target company. This should be disclosed in the vendor inventory. If answered C: Inherited liability is based on the type of acquisition and also the level of due diligence performed regarding the extent of the acquired company's oversight of third parties. A company with immature third party risk practices will trigger more risk potential for the acquiring company for unknown or undetected vulnerabilities. Inadequate due diligence of TPRM may create risk or lack of appropriate contract provisions to address potential liability. If answered D: Supply chain risk may be triggered by lack of oversight of hardware components for certain types of vendors or suppliers. M&A due diligence for third parties should be based on the nature and type of services being outsourced and the functions of the acquired company that are to be integrated into company operations.
1. Which statement best defines the distinction between a standard and a framework? a. Standards and frameworks are synonymous since they are both voluntary. b. A standard is clearly defined, rigid, and universally accepted as the best method for addressing a specific topic, while frameworks are flexible and allow for adaptation. c. Frameworks are self-regulatory, while standards are created solely by technology associations. d. Standards can be adapted to each organization's needs, while frameworks are not customizable.
Answer B: Standards are measurable and distinct. Within a standard, there is typically one accepted way of accomplishing the task. Frameworks outline a broad perspective of interlinked items in a field of practice. Frameworks are used to organize control concepts which simplifies communication to management. If answered A: Standards and frameworks are not the same concept even if voluntary. Organizations can align TPRM to external standards and create their own internal standards that align to a policy. A framework is more conceptual in how the TPRM program may organize policies and procedures but do not get at detailed configuration requirements. If answered C: Frameworks can be created for both technology but also non-IT risks. Frameworks organize concepts around common topics, and can be used for privacy, ESG, or many other control topics. If answered D: The opposite is actually true. Standards are distinct and measurable to enable the quantification of the gap to the desired control. A framework is adaptable to align to the organization's approach to risk. It organizes the business context of a particular risk focus area.
1. Which event timeframe is the LEAST effective timeframe to perform due diligence? a. During the vendor selection process b. During the onboarding process c. After contract negotiation and execution d. Cyclically during the relationship
Answer C. Conducting due diligence AFTER the contract is executed creates a gap in the ability to include specific criteria or requirements in the contract. Gaps identified may then require changes to contract terms, and the outsourcer has lost leverage with the vendor at this phase of the contract lifecycle. If answered A: Preliminary due diligence may be performed during vendor selection as part of the RFP. After vendor selection, more thorough due diligence should be performed to identify control gaps or areas for contract negotiation. If answered B: Onboarding due diligence may include controls evaluation based on decisions made for implementation of the new relationship. Assessing controls for application security or application integration may be a part of onboarding as decisions are made for system access, remote access, or network connectivity. If answered D: Due diligence may be conducted at any phase in the relationship based on standards or changes in risk. Due diligence standards and prior assessment results define the timeframes for periodic due diligence.
1. Which of the following does NOT reflect an attribute that defines an organization's risk tolerance? a. The organization's willingness or readiness to bear a risk after treatment b. How an organization measures what risk it is willing to assume in order to achieve its business objectives c. Risk tolerance is defined by legal or regulatory requirements d. The amount and type of risk an organization will accept
Answer C: Risk tolerance is defined as the level of risk the company can accept after certain actions are taken. Tolerance can be influenced by legal or regulatory obligations, but laws and statutes do not define risk acceptance criteria or thresholds. If answered A: Risk tolerance is based on the willingness of the organization to accept a risk. The remaining level of risk to be accepted is a reflection of the culture of the company. If answered B: Risk tolerance and risk appetite can be measured by identifying the impact of tangible or potential outcomes. Metrics are a component to determine how much risk an organization is willing to accept. If answered D: Risk tolerance can be based on different types of risk. An organization may have a higher risk tolerance in less regulated lines of business, but take a more conservative approach in products or services subject to external examination or inspection.
1. Which statement best describes how data protection regulations impact Third Party risk in today's environment? a. While some best practice frameworks recommend assessing Third Party security compliance, there are no regulations requiring that Third Parties be assessed for compliance. b. Most data protection regulations focus on consumer rights and principles and have little impact on the IT control environment or infrastructure. c. Data protection regulations are not as significant as emerging technologies in changing Third Party risk expectations. d. Data classification may be based on the privacy context of the data subject and the business model. Specific regulations will define distinct data protection requirements that apply to Outsourcers and service providers defining expected controls for privacy and security. Regulations are evolving to address changes in emerging technology.
Answer D: Data protection encompasses both privacy and security. The type of personal information involved in a service will trigger different regulatory obligations that impact how Third Party risk is assessed. If answered A: Certain regulations define requirements for assessing Third Party risk and certain industries require formal audits or examinations for compliance. For example, in healthcare and financial services, formal examinations are performed by the regulators and include inspection of Third Parties. If answered B: While data protection regulations may include notices or rights for individuals, delivering on those obligations require maturity in data governance, data mapping, and data flows which have significant IT implications to enable compliance. If answered C: Data protection regulations may be jurisdictional, industry, or service and technology based. Technology does evolve faster than regulations given the pace of change. Regulations provide the guidance on the expected use of new technology that defines the obligations of the Outsourcer, Third Parties, and Fourth Parties.
1. Which list identifies factors that may be considered environmental hazards in ESG? a. Sustainability, energy use, climate change mitigation, and adaptation b. Management structures, employee relations, executive remuneration, and compliance c. Inequality, inclusiveness, labor relations, and human capital d. Heatwaves, water availability, floods, and wildfires
Answer D: Environmental hazards are external factors that create risk due to changes in the external environment. All of the items listed are external factors the company cannot directly control. If answered A: This list focuses on environmental factors that can be influenced by internal company actions. A company can take a position on how to address sustainability in their operations but cannot influence environmental hazards like floods or wildfires. If answered B: This list focused on the governance factors in ESG that are internally driven. Governance is influenced by company culture, values, and risk posture and are based on internal factors. If answered C: This list focuses on the social aspects of ESG risk. The social element of ESG is focused on people, personnel, and relationships.
1. Risk based classifications and criteria for outsourced services should be developed based on the risk they present to the organization. Each statement about a mature classification would be accurate, EXCEPT: a. Third Parties should be risk-tiered based on the inherent risk of the services provided. b. Classification is at the service level based on Inherent risk (critical, high, medium, low). c. Mature classification is assigned an Assurance Level or Tier (1-Critical/High, 2-Essential/ Medium, 3-Basic/Low, etc.). d. Classification is based on the number of resources available to conduct the assessments.
Answer D: Vendor classification should be based on risk and risk acceptance, not resource allocation. A common challenge is that organizations may set a policy that defines more stringent expectations than resources can meet. But that is a compliance issue. If resources are not available, that is a new risk to bring back for risk treatment, or to justify a business case for additional resources to close the gap. If answered A: The starting point of a vendor risk classification is based on the nature of the services outsourced and the potential impact to the company in the absence of controls. If answered B: Once the potential risk is identified, the classification structure should define the criticality or severity of that risk using terminology that clearly conveys the tiering of the risk. If answered C: Based on the presented risk tier, due diligence requirements for that tier define the assurance levels of the scope of due diligence to be performed in order to assess the risk in the Third Party relationship.
1. Which statement best reflects an accurate description of the roles and responsibilities contained within the "Three Lines of Defense" model? a. Only the second line of defense is involved in managing regulatory compliance risks. b. Management's responsibilities comprise both first and second-line roles, while the third line of defense functions are independent from the business unit and should provide objective assurance to the organization's governing body. c. The first line of defense is compromised of the company's clients or customers. d. The model provides a rigid structure of the lines of accountability and the roles as defined in the organizational structure.
Answer: B. Management plays a role in both the first and second line as they own the accountability for how the risk is addressed. Management uses functions like audit or assurance to provide independent reviews of their risk mitigation approach, including accurate reporting of risk to the C-Suite or Board of Directors. If Answered A: All three lines play a role. The first line owns the risk, as well as the products and services with specific regulatory compliance obligations. If Answered C: The first line is the personnel within the business that is providing the products and services to the customers. The first line owns the revenue or profit/loss for the product or service. If Answered D: The model is flexible and is based on risk management and governance. The model provides a framework for organizational functions based on the size and complexity of the company.
1. Risk is the likelihood that unplanned events will occur and impact the achievement of strategy and business objectives. Residual risk is defined as: a. The risk level or exposure that exists before any actions (e.g., implementing controls) are taken, or might be taken, to mitigate the risk. b. Risks that can be described qualitatively in terms of magnitudes in relation to other similar events or states. c. The remaining, potential risk after all mitigation and control measures are applied. d. Risks that can be demonstrated quantitatively using mathematics and actual historical data or predictive data modeling.
Answer: C. Residual risk is the risk that remains after compensating controls or mitigation efforts. The remaining risk then needs to be evaluated for risk acceptance or treatment options. If answered A: This statement describes inherent risk. Inherent risk is the risk level or exposure that exists before any actions ( e.g., implementing controls) are taken, or might be taken, to mitigate the risk. If answered B: This is an example of qualitative risk. Evaluating risk in this method typically provides a high, medium, or low rating to the risk using judgement. If answered D: This statement defines quantitative risk where the impact of the risk can be specifically measured using formulas and methodologies.
1. Which statement provides the best definition of the difference between vendor management and vendor risk management? a. Vendor management is primarily a procurement function of supply chain management. b. Vendor risk management is a function performed by the company's internal audit department, while vendor management is handled by the contract team. c. Vendor management takes an operational focus on controlling costs and performance based on contract terms. Vendor risk management adds additional risk assessment and controls assessment to that foundation, addressing multiples types of risk that are typically tracked in an Enterprise Risk Management Program. d. Vendor management and vendor risk management are interchangeable terms.
Answer: C. Vendor management is a narrow focus on managing the relationship, while vendor risk management adds to that focus additional layers of oversight to what Third Party risks could impact the organization. If I answered A, explanation was: The organizational alignment is not the attribute that creates the difference in the terms. The difference is in the scope and nature of the functions performed. If I answered B, explanation was: The reporting structure is not the attribute that creates the difference in the terms. Internal audit may perform a review of the functions as part of their independent assurance role. If I answered D, explanation was: Vendor management is a subset of vendor risk management. Vendor management is a narrow focus on managing the relationship, while vendor risk management adds to that focus additional layers of oversight to what Third Party risks could impact the organization.
1. Availability of a vendor's service is an important component in determining both inherent and residual risk. Which factor would be LEAST LIKELY to be an input to establishing availability requirements? a. Identify the impact of vendor downtime on the delivery of services to your customers. b. Estimate the impact on company revenue for each period of downtime. c. Determine the impact on your company's reputation from each period of downtime. d. Estimate the financial penalty or fine to be assessed for each outage of service delivery.
Answer: D. An Outsourcer may include fines or penalties for performance failures. Availability reflects the timely and reliable access to, and use of information or functions. The penalty is applied for failures after the fact, but does not itself define the requirements for recovery. If Answered A, explanation was: The inability to deliver services to a company's customers is a direct factor in defining the recovery time objective for a Third Party vendor. If Answered B, explanation was: Quantifying the potential lost revenue is a direct input in defining the recovery time objective for a Third Party vendor. If Answered C, explanation was: The potential risk of negative publicity for service disruptions can impact client and customer relationships and should be assessed to establish both recovery point objectives and timeframes for service restoration.
Ongoing Monitoring
Applies oversight against contractual requirements, with reporting to appropriate levels of the Outsourcer's management. Monitoring should be adapted as needed over the life of the relationship. In addition to point-in-time and continuous monitoring, a periodic TPRM program is an essential exercise. Insights from this phase are developed in the planning phase of subsequent cycles.
Third Party Risk Analyst Perspective
As a TP Risk professional, I must know and understand "Who is doing what?". Roles and responsibilities must be clearly defined for TPRM. I need to ask and assess "How does this fit into our enterprise policies?" I need to create a risk management framework to focus the approach. The structure should be the right size based on risk. I must consider the following: o Identify emerging risks that affect my program o Determine frequency of review o Identify the level of formality/documentation that I need o Identify the key processes in scope for my governance model
ESG
Environmental, Social, and Governance
Termination
Exit or Termination Strategy utilizes a pre-defined exit strategy and comes at the end of a contract, through cause or identifying a contingency approach. Exits or terminations may be defined as hostile or non-hostile, depending on the drivers for discontinuation of the relationship. Hostile exits require additional risk mitigation focus. Contingency planning for unexpected terminations, if the activity needs to be continued, requires activities that are evaluated for transition to another TP or to bring the activity in house. Handling of the destruction or retention of intellectual property (IP) introduced during the relationships must be accounted for during the termination process. Agreements on handling of any residual data should be defined in the contract or transition plan.
Identifying and Assigning Levels of Confidentiality: Healthcare
Healthcare data classifications tend to be structured based on the level of patient information contained in the record, and the level of sensitivity of the information to the individual. Records that include specific diagnosis, genetics, or psychiatric/substance abuse information require stronger controls to prevent unauthorized disclosure.
Vendor Management
In vendor management, the viewpoint is operations-based. The organization will focus on issues or service delivery complaints. This involves cross-functional resources to collaborate on defining requirements, contract terms and provisions, and key metrics that define the relationship.
Vendor Risk Management
In vendor risk management, the viewpoint is risk-based. The organization will focus on risks and threats. Just like in vendor management, these processes involve cross-functional resources to collaborate on defining requirements, contract terms and provisions, and key metrics that define the relationship.
Contract Negotiation
Includes clearly defined expectations, formalizing control requirements, and how any control weaknesses identified during due diligence will need to be addressed. Procedures; processes; monitoring rights and expectations; notifications; and other internal and external communication requirements are addressed during this stage before onboarding. Contracts and addendums can be developed to allow for modification as needed over the life of the relationship.
Industry Sector Guidance
Industry sectors that are more highly regulated have designated governmental agencies or functions responsible for oversight of participants in that industry. These entities publish guidance that creates requirements and obligations for both Outsourcers and SPs within each respective industry. IN some sectors, like financial services and healthcare, there may be formalized audits or examinations to assess compliance for TP SPs.
The risk associated with an outsourced activity takes many forms
These include the specific risks associated with outsourcing, including but not limited to, financial stability, financial criminal activity monitoring, reputational, concentration, legal, country, operational, technology, and security.
By using this model as a guide for planning, development, implementation, and evaluation of its programs, ....
Outsourcers can gain a better understanding of the overall effectiveness of their own TPRM program.
When an organization decides to seek external assistance from a Third Party or establishes an internal dedicated entity (an Affiliate), to provide specific services and expertise, then that organization will leverage...
Outsourcing to enter into a contractual relationship to obtain those services. The development of optimal contract terms is a critical best practice in TPRM. However, contract terms should never replace oversight by the Outsourcer.
PHI is a subset of PII because ....
PHI is also linked to an individual. PII is considered PHI when linked with health information and is obtained by or on behalf of a health plan or health care provider (i.e., when a patient's name appears on a prescription.) PHI is not a defined as data classification under the EU's GDPR. Under GDPR, healthcare information about an individual is classified as Sensitive Personal Data.
Protected Health Information (PHI)
PHI is any individually identifiable health information transmitted or maintained in any medium. This includes demographic information that is created or received by a health care provider, health plan, or health care clearinghouse. The US Office of Civil Rights (OCR) is the examination body for compliance to PHI data; and guidance is issued under the US Health and Human Services (HHS) Agency.
Cardholder Data
Payment Card Industry Data Security Standard (PCI-DSS) sets obligations to protect this information.
Cardholder data is credit or debit card information that includes the ...
Primary Account Number (PAN). This is the payment card number that identifies the issuer and the specific cardholder account. Cardholder data may also appear in the form of the full PAN, combined with either the cardholder's name, expiration date, or service code (Three- or four-digit number on the magnetic-stripe that specifies acceptance requirements and limitations for a magnetic-stripe read transaction.)
Sensitive Data
Processing of special categories of "personal data" refers to the definition categories of Sensitive Personal Data that require additional levels of controls, approvals, and authorizations. This includes genetic data and biometric data where processing can uniquely identify a natural person. Sensitive personal data includes information regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a natural person's sex life, or sexual orientation."
Quantitative Risk
Risk can be demonstrated quantitatively using mathematics and actual historical data or predictive data modeling. Quantitative risk relies on metrics that can be measured to identify potential financial impact, loss of customers, impact to operations, or impact to business processes.
Qualitative Risk
Risk can be described qualitatively in terms of magnitudes in relation to other similar events or states. For example, a rating of Low, Moderate, or High is a qualitative measure defined according to how an organization defines those magnitudes. The risk may also be described in terms of effect on operational or financial health. Risk can also be qualitatively demonstrated in terms of duration of impact and the magnitude of efforts required to recover normal operations or financial health.
Risk Treatment
Risk governance starts with ongoing processes to identify, assess, manage, and communicate risk. How an organization decides to handle a risk is called risk treatment. The company can take several courses of actions. This includes avoiding the risk; accepting the risk; monitoring the risk; transferring the risk; or mitigating the risk. Risk treatment describes how the organization will address the risk, which may be documented in a Risk Treatment Plan.
Types of Risks in Third Party Relationships
Risk in Third Party relationships can be looked at based upon process, technology, or external factors. Each type of risk requires processes for risk identification, quantification, prioritization, and mitigation. Risk in Third Party relationships may be viewed at the organizational level or at a product/service level. For TPRM programs, the fundamental point-of-view is to evaluate the risk based upon the function that has been outsourced.
Risk Tolerance
Risk tolerance is the measurement of the range of acceptable outcomes that convey the willingness of the company to bear the consequences of a specific risk.
Identifying and Assigning Levels of Confidentiality: Socio-Economic
Special categories of personal information have higher expectations for the level of confidentiality. For example, personal information that identifies racial origin, political opinion, religious belief, sexual orientation, criminal convictions, or certain healthcare concerns require stronger limitations on collection, use, and disclosure.
Personally Identifiable Information (PII)
The U.S. defines PII as a legal concept. It is any information about an individual, including any information that can be used to distinguish or trace an individual's identity. This includes name, social security number, date and place of birth, mother's maiden name, or biometric records. It also includes any other information that is linkable to an individual, such as medical, educational, financial, and employment information. The ISO/IEC defines PII as any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains, from which identification or contact information of an individual person can be derived, or that is, or might be directly or indirectly linked to a natural person.
Data Category
The data category is based on the identity of the owner of the data or type of data subject. It includes: Business information Personal information Employee information Company information Information of minors
First Line of Defense
The first Line of Defense consists of the lines of business who utilize the outsourced services. The business unit managers usually control the vendor relationship and may serve as the primary point of contact for gathering assessment due diligence and ensuring that remediation efforts are completed. They have ownership of the risks the business unit will accept.
Residual Risk
The remaining and potential risk after all mitigation and control measures are applied. There is a residual risk associated with each threat. It is the level of risk that exists with all of the necessary controls in place. Residual risk is the risk that remains after compensating controls or mitigation efforts. The remaining risk then needs to be evaluated for risk acceptance or treatment options.
- Inherent Risk:
The risk level or exposure that exists before any actions (e.g., implementing controls) are taken, or might be taken, to mitigate the risk. It is the amount of risk an organization can incur when there is an absence or failing of controls.
Established Risk Culture. The First step is to ensure that requirements for risk-based vendor management are communicated to the organization. Consider the following:
Tone at the top Risk posture Risk tolerance Risk management methodology Acceptance process and exception process
Ongoing Monitoring
allows outsourcers to gain ongoing insight into third party risk posture. Periodic Monitoring or Continuous Monitoring (CM)
Reputation or Brand Risk:
damage to reputation or loss of clients due to poor customer service, errors, processing delays, fraud, fines, etc.
Three Lines of Defense Model
determines how the TPRM Program aligns with the Three Lines of Defense for risk management within the organization. While TPRM usually resides in the second line, establishing how it interacts with the other two lines of defense is critical.
By categorizing risks based upon IMPACT and LIKELIHOOD, organizations can focus ...
their controls evaluation and resource allocation on the more important risks
