Understand, Manage, and Measure Cyber Risk by Ryan Leirvik

Author:Ryan Leirvik
Language: eng
Format: epub
ISBN: 9781484278215
Publisher: Apress

With the introduction of the program and internal processes to maintain proper management of the activities, it’s time to look outside the organization for risks.

Step 5. Look Externally (Third-party Risk Management)

Anticipating areas of organizational cybersecurity risk stretches beyond simply internal processes. An individual or an organization that is not part of your organization (referred to as a third party)20 introduces their own set of risks that can sometimes go overlooked.

External risks, such as outsourced entities, require security attention that expands beyond the primary organizational boundaries to external parties for investigating possible vulnerabilities that may impact the primary organization. This is the essence of third-party risk management (TPRM). The goal is to perform risk management successfully enough to anticipate and remediate issues resulting from the outside party before a weakness in that third party is exploited that impacts the organization.

There are many ways to go about managing third-party risk. One solution begins with establishing a formal TPRM program within the organization. Programs like these always best start by gaining internal buy-in from teams who have a stake in the outcome and the management, like governance, risk, and compliance (GRC) , overall organizational risk management, cybersecurity, procurement or purchasing, and legal. Making a concerted effort to bring in team members early helps prevent internal teams from engaging external third-party vendors without engaging in a TPRM risk-identification process.

One simple way to begin a risk management process focused on third parties is to align on what risks are important. One way to do this is to dedicate or hire full-time employees21 at the onset. Depending upon the depth of any existing third-party risk management program, a dedicated specific team or employee is best. TPRM requires a lot of time and work to properly manage. Assessors of risk stay busy with a wide variety of outside entities or people requiring assessments. For example, dedicated third party assessors have to retroactively assess the current vendors prior to assessing any new/additional vendors the organization is looking to engage. This process can become a mammoth task, depending on the organization’s size, use of outside contractors, and any current backlogs of assessments to complete.

With an identified team or person dedicated to the effort, establish a third-party risk management questionnaire. Regardless of the maturity of a TPRM process, the questionnaire is a strong place to start as support to any current program or ease future assessments. The questionnaire is established to clarify which areas of risk to probe when considering engagement with an outside party. As with any strong risk management program, choosing one framework as the basis for this questionnaire helps ensure the program has structure.

Continuing with the CSF, a questionnaire may be built around the organization’s management process to help with coverage and alignment back to organizational risks; too many frameworks cause alignment problems. At the very basic level, aligning to the CSF may help establish high-level questions for vendor assessment. For example, Figure 5-8 illustrates at least one question per function to begin asking TPRM questions.

Figure 5-8Use

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.