Effective Third-Party Risk Assessment – A Balancing Process

The vendor risk assessment is the lynchpin of every effective third-party risk management program. In theory, the essential components of an assessment are easily determined. However, in practice, the ability to effectively understand and assess third-party controls usually conflicts with the resources available to perform the assessments, and is further handicapped by the need to rapidly conclude assessments so contracts can be finalized and projects begun.

All too often this results in assessments that are performed based on resource availability and time rather than an appropriate review of required security controls.

Adding additional complexity is the growing pressure to expand third-party assessments. Regulatory agencies have significantly increased third-party assessment requirements. The U.S. Office of the Comptroller of the Currency (OCC) now requires companies to look at the entire vendor lifecycle when managing third-party risk (OCC 2013-29). The U.S. Federal Financial Institutions Examination Council (FFIEC) recently added the requirement that companies include an assessment of their vendors’ business continuity programs as part of the assessment process (FFIEC Examination Handbook, Exhibit J). Healthcare regulators have also joined in requiring a thorough security risk analysis as part of the HITECH Act/Omnibus rules.

Industry standards are also increasing the focus on third-party security. PCI DSS 3.0 (12.8.2) and the latest versions of ISO 27001/2 require a comprehensive assessment of third-party security controls. NIST also requires that third-party information security risk be evaluated for NIST compliance (SP 800-39).
The very practical need for thorough third-party assessments is the fact that third-parties are increasingly targeted by criminals, and continue to be the primary source of breach incidents. Rather than attempt to breach the systems of large and usually well protected company networks, criminals look for the weakest link in the chain, which is all too often a third-party.

The growing demand for more comprehensive third-party assessments necessarily requires expanded resources, budgets and timelines for completion. These needs run contrary to very real budget and staff constraints, and the pace at which business units need to bring new (often web/cloud based) products and services to market. So, how do you satisfy the growing demand for more comprehensive assessments of third-party risk controls without substantially increasing the cost and time for conducting assessments?

The first step is to fully understand your assessment workflow, and identify all of your information requirements, both internal and external. Then identify those activities that are extremely manual in nature. The simple truth is that it is difficult, if not impossible, to effectively manage assessments in a manual environment. From initiating and collecting assessment information, to managing your workflow and providing a centralized repository for all assessment-related activities, there are a number of industry applications that can automate the assessment process and provide significant relief for overburdened processes and resources.

Also, make sure that you don’t reinvent the wheel. There are a number of existing assessment frameworks you can use to refine or jumpstart your program. NIST, Health Information Trust Alliance (HITRUST), and PCI all have framework controls and questionnaires.

To learn more, join us on 26 July for an ISACA webinar, titled Effective Third-Party Risk Assessment – A Balancing Process, on how to manage all of these competing requirements and develop an effective program for third-party assessments. We will discuss how to find the best methods to balance these competing demands, and key ways to enhance your assessment process so you can do more comprehensive assessments without increasing the time and cost of assessment due diligence.

Brad Keller, Senior Director of Third-Party Practice Lead, Prevalent

[ISACA Now Blog]