In a world were industries are more and more integrated, and in a landscape were Saas, IaaS and Paas are becoming the norm, how deep should a company go to protect its assets and the PII of its customers?
When it comes to Risk based Third Party Management should we limit ourselves to the first level Vendor for our Due diligence or should we try to dig deeper and get info on the Subcontractors of the third party vendor we have a contract with?
Thoughts on the subject ?

Topic

[RvnthParticipant]

Basically, I think compliance is very important, and every collaboration and contract must always depend on the different aspects related to the compliance of the business in general. For example, we can see legal and legal compliance at the basic level, or even ethics. Regarding security, in a landscape where SaaS, IaaS and PaaS become the norm, it is very important to first know the different security standards and procedures that providers rely on to ensure data and Information security (like Personally identifiable information). It is important to remember that beyond Cybercriminals and Insiders, the various threats could come from even external providers, and that cybercriminal organizations and nation-states could prepare their attack from afar and for a long time; A supplier can be reliable, but collaborate with less reliable subcontractors. It is therefore very important for the IT Security Department (or Service) to have a compliance manual that suppliers must follow to be chosen as a supplier.

[BP123HarParticipant]

In my opinion, third party risk programs should be designed to assess the risk of any third party that meets your company’s thresholds. In other words, dig into third, fourth and further as long as there is a risk you are attempting to log, track and ensure coverage. I would profile a particular third party by putting them through a risk assessment. To the extent they are providing services that you consider high risk (example: servicing your customers), you should assess and apply the appropriate controls. Part of the assessment will be looking into their IT, Cyber controls. If they use a vendor to provide cyber related protection, you will want to either have your vendor assess (you will monitor and review results) or get approval to do it yourself. I would follow the risk until you’re satisfied.

[Thomas7219Participant]

Very interesting question, as I am not aware so far of any organization that is not depending on any third-parties to do their business or provide their services.
I think that a good way to execute due diligence over a third party supplier is to run evaluations, and identify in what extent it complies with sector’s best practices such as The National Institute of Standards and Technology or the Supplier’s Evaluation from ISO 9001:2015 Standard requirements.
Then the level of drill down will be driven by sensitive data exposure, business-continuity risk exposure and probably level of trust and confidence in the audited supplier.
This assessment should be run through a continuous improvement process provided on timely manner.

[MimyParticipant]

Third party assessment is one of the main issue in the industry today. This assessment should be done every day has more than 60% of hacks are initiated by hackers via Third parties.
Every one that wants to do this properly should not rely just on questionnaires by use platform like SecurityScorecard : https://securityscorecard.com/
The Platform instantly identifies vulnerabilities, active exploits, and advanced cyber threats to help you rigorously protect your business and strengthen your security posture – from an outside-in perspective, enabling you to see what a hacker sees.

[Author]

Replies