Third Party Risk

Third-party Risk Assessment

Every organization works with vendors

Payroll, customer relationship management, email marketing, travel, raw materials

Important company data is often shared

May be required for cloud-based services

Perform a risk assessment

Categorize risk by vendor and manage the risk

Use contracts for clear understanding

Make sure everyone understands the expectations
Use the contract to enforce a secure environment

Penetration Testing

Pentest

Simulate an attack

Similar to vulnerability scanning

Except we actually try to exploit the vulnerabilities

Often a compliance mandate

May include a legal requirement

Regular penetration testing by a 3rd-party

Very specialized
Third-party experts are well-versed

Rules of Engagement

An important document

Defines purpose and scope
Makes everyone aware of the test parameters

Type of testing and schedule

On-site physical breach, internal test, external test
Normal working hours, after 6 PM only, etc.

The rules

IP address ranges
Emergency contacts
How to handle sensitive information
In-scope and out-of-scope devices or applications

Right-to-audit Clauses

Common to work business partners

Data sharing
Outsourcing

Third-party providers

Can hold all the data
Manage internet access
Are they secure?

Right-to-audit should be in the contract

A legal agreement to have the option to perform a security audit at any time
Everyone agrees to the terms and conditions
Ability to verify security before a breach occurs

Evidence of Internal Audit

Evaluate the effectiveness of security controls

Have a third party perform an audit

May be required for compliance

It’s a good idea, even without industry standards

Check for security controls and processes

Access management, off boarding, password security, VPN controls, etc.
There’s always an opportunity for improvement

Perform at a reasonable frequency

A single audit isn’t very helpful in the long-term

Supply Chain Analysis

The system involved when creating a product

Involves organizations, people, activities, and resources

Supply chain analysis

Get a product or service from supplier to customer
Evaluate coordination between groups
identify areas of improvement
Assess the IT systems supporting the operation
Document the business process changes

Software update installs malware: March-June 2020

Announced December 2020 by SolarWinds
Malware deployed with a valid SolarWinds digital signature
At least 18,000 of 300,000 customers potentially impacted

Independent Assessments

Bring in a smart person or team to evaluate security and provide recommendations

An outside firm

Specialists in their field

They do this all day, every day

They’ve seen it all

And can provide options you may not have considered

Vendor Selection Process

Due diligence

Check a company out before doing business
Investigate and verify information
Financial status, pending or past legal issues, etc.
Background checks, personnel interviews

Conflict of interest

A personal interest could compromise judgment
A potential partner also does business with your largest competitor
A third-party employs the brother of the CFO
A third-party offers gifts if a contract is signed

Vendor Monitoring

Ongoing management of the vendor relationship

This doesn’t end when the contract is signed

Reviews should occur on a regular basis

Financial health check, IT security reviews, news articles, social media posts

Different vendors may be checked for different indicators

Quantitative and qualitative analysis

Assign a person to be in charge of the vendor relationship

They will manage the monitoring process

Questionnaires

An important part of due diligence and ongoing vendor monitoring

Get answers directly from the vendor

Security-related questions

What is the vendor’s due diligence process?
What plans are in place for disaster recovery?
What secure storage method is used for company data?
And more

Results are used to update a vendor risk analysis

Updated during the life of the vendor relationship

Agreement Types

Common Agreements

Service Level Agreement (SLA)

Minimum terms for services provided
Uptime, response time agreement, etc.
Commonly used between customers and service providers

Contract with an Internet provider

SLA is no more than four hours of unscheduled downtime
Technician will be dispatched
May require customer to keep spare equipment on-site

Memorandum of Understanding (MOU)

Both sides agree in general to the contents of the memorandum
Usually states common goals, but not much more
May include statements of confidentiality
Informal letter of intent; not a signed contract

Memorandum of Agreement (MOA)

The next step above a MOU
Both sides conditionally agree to the objectives
Can also be a legal document, even without legal language
Unlike a contract, may not contain legally enforceable promises

Master Service Agreement (MSA)

Legal contract and agreement of terms
A broad framework to cover later transactions
Many detailed negotiations happen here
Future projects will be based on this agreement

Work order (WO)/Statement of Work (SOW)

Specific list of items to be completed
Used in conjunction with an MSA
Details the scope of the job, location, deliverables schedule, acceptance criteria, and more
Was the job done properly? Let’s refer to the SOW.

Business Partners Agreement (BPA)

Going into business together
Owner stake
Financial contract

Decision-making

Who makes the business decisions?
The BPA lists specific individuals and scope

Prepare for contingencies

Financial issues
Disaster recovery

Non-disclosure Agreement (NDA)

Confidentiality agreement between parties

Information in the agreement should not be disclosed

Protects confidential information

Trade secrets
Business activities
Anything else listed in the NDA

Unilateral or bilateral (or multilateral)

One-way NDA or mutual NDA

Formal contract

Signatures are usually required