Part 4: – “Full Engagement” – Bringing Value to Partnerships

This is the third of a four part series. To read part one of this report click here.

This series has been designed to help CISOs and other risk management practitioners examine their programs from a unique perspective – one in which the objective problem your organization is trying to solve takes center stage and risk managers can effectively respond as that problem morphs over time.

Executing your plans for assessments: The most important thing for practitioners to bear in mind is that there are parties outside your TPRM program that must be engaged, in order for your program to run effectively. Focus your effort on those parties, both internal to your organization and external third party partners, that matter to your business.

It’s that simple – and it’s that complicated.

The point here is that when expectations are clearly laid out in the planning stages:

• Your TPRM strategies and tactics can yield results that are in keeping with your needs.
• Your approach will be appropriate to the scale of the resources your company wishes to invest in controls assessment and relationship management.

Keeping optimization in focus: In Part 2 of this series, we discussed the need to focus TPRM resources in accord with the potential impact that is posed by third parties with network access, access to sensitive data, and those that hold critical roles for your business.

To do so, your TPRM processes will need to reveal insight into your vendor’s risk management maturity, centering on your vendor’s own risk management processes. What about that third party is most important for your relationship? Both trust (vendor self-assessments) and verify (independent assessments) should reveal relevant information about the vendor’s ability to execute for your company, their motivations, and how those two factors affect their own risk management priorities. For instance: do they have a risk evaluation process; do they perform a root analysis process; what are their patching and maintenance processes; do they have an asset inventory; do they have a management process for controls and reviews, etc.? If they are doing these things in a way that is responsive to your needs, that is a good indicator the vendor has a more advanced level of risk management maturity.

You will also need an outside view of the vendor. This can be accomplished in number of ways, such as using open source intelligence tools in a do-it-yourself manner, engaging a third party monitoring vendor to perform this task for you, or combining the two approaches. If a monitoring vendor is used to collect information on your third parties, that vendor will apply rules and often its own proprietary behind-the-scenes algorithms to make it easier for its customers to consume that information, usually providing dashboard output in the form of a graded score (by color, rank, etc.) for each vendor.

Understanding HOW the score is created, that’s how you make better business decisions: Remember that there are no ‘magic bullets’ in TPRM – no one service can cover all the bases. When you go to an outside source for intel (OSINT), there are cues that can help guide you in selecting a monitoring services vendor. Red flags when you review automated monitoring services is any marketing material that claims: (1) the vendor can completely replace assessments (i.e., their service is “all you need”); (2) that the vendor provides ‘actionable’ intelligence, or; (3) that the vendor can radically reduce the amount of time and effort you need to apply in your TPRM processes. All these claims should make your ‘Spidey’ senses tingle.

For example, let’s talk about actionable intelligence. In TPRM, intelligence is the term used to define the information gathered through collection efforts to gain details about a vendor’s risk posture. Actionable intelligence is a subset of that information. In military terms, actionable intelligence is: “intelligence information that is directly useful to customers for immediate exploitation without having to go through the full intelligence production process.”[1]

While scored information and dashboards can make the information collected more valuable, it doesn’t necessarily make the information “actionable.”

Information becomes actionable when the end user of that information (i.e., you, the outsourcer) go through the Observe and Orient steps of the OODA (Observe-Orient-Decide-Act) Loop. The vendor providing the intelligence may do some Orientation on the larger body of information (either through a transparent, known process, or through an unknown black box manipulation). When the vendor passes that manipulated intel to you, it is up to you as the TPRM practitioner to further Orient that information and Decide to Act in the context of what action would be best aligned with your company’s TPRM program’s goals and objectives. Only if you accept the monitoring vendor’s intel as it comes to you – without any further alignment to your program’s needs – can the monitoring vendor’s reported information be truly termed “actionable.”

If your program is so new that you cannot align the incoming intel to your own company’s risk appetite, and you make the business decision to use the monitoring vendor’s raw intel as is, then (and only then), acting on that data is a valid decision. HOWEVER, if you do use that data and act upon it, you must understand HOW the graded score is created, because if you Act without further analysis, that will have an impact to your company and your relationship with your third party. The lack of analysis on your part will also cause churn for you, since the undigested nature of the intelligence provided means it will be, by definition, less tightly focused on your program’s needs.

The bottom line is that you are responsible for how that intel is used. If you are assessing one of your preferred vendors and you recommend a specific action about that third party based on intelligence that has not been well-aligned to your company’s needs, then your tenure as a TPRM practitioner may be quite short.

Staying focused: To make sure you are focusing on the right vendors; an up-to-date and extremely precise and accurate vendor inventory is required. That inventory should provide insight into who in your company owns each vendor relationship, the criticality of that vendor to your operations (including concentration risk), if and how the vendor is connected to your network, and the type and sensitivity of the data they have access to (including intellectual property, operations technology, and customer data). In addition to helping to guide procurement and onboarding, as well as regular assessments, this inventory provides essential information both before and after any incident, ensuring that the right people are involved throughout the vendor lifecycle.

As discussed in Part 3 of this series, when conducting assessments and monitoring activities, restrict your questions to those things that really matter to you. You should include inherent, target, and residual risk, to keep your program focused, so that you don’t waste your own or your third party’s resources.

Part 1 demonstrated the importance of getting as much of your third party ecosystem under your control as possible. In other words, don’t focus on EVERY third party. Focus first on those that are critical to your operations and have network and data access (or potential access) – remember that a seemingly benign third party can serve as a gateway for hackers trying to gain network access, as noted in Part 2. Where vendors connect to your network, strong network segmentation is a key requirement for controlling risks. Try to work with your technology groups to make sure that you have control of as much of those third parties’ access to information and the network as possible.

Using contracts to set expectations: A key component for optimizing your third party relationships is very clear contractual language. The language will depend on the type of service that the vendor is performing. You can develop your own standard, pre-approved templates to minimize your need for legal to be involved in initial negotiations. There should also be language that sets out the expectation that vendors will follow industry standard information security framework(s). If your vendor is handling payment processing, for instance, that vendor would need to meet the scope of Payment Card Industry Data Security Standard (PCI DSS) requirements. Therefore, you would include requirements in your contract that cover those standards setting the expectation that the vendor would be and remain compliant and report appropriate around PCI DSS. Fourth party requirements should also be called out in specific clauses (such as, if and when the use of fourth parties is permissible, under what circumstances they may be used, and the requirement for the third and fourth party risk management processes to meet or exceed your own company’s risk management requirements).  

The Shared Assessments Program’s Principles of Third Party Contract Development, Adherence & Management and its companion Executive Summary document provide guidance on contract development practices that provide benefits to both the outsourcer and the third party provider.

Treating third parties as trusted and valued partners: Plan for success in ways that help your third parties to improve their own risk management programs and everyone comes out stronger. Treat your third party’s as valued partners, rather than liabilities. Bear in mind that you are not the only company to which they provide services. Don’t waste their time with unfocused questionnaires and other assessments. When an item is identified that requires remediation to meet your control requirements, provide the vendor with not only a statement of what the problem is, but also how it matters to you and how they can easily resolve the problem to meet your needs. This helps your vendors to elevate their security maturity, instead of overwhelming them with meaningless issues.

Some companies handle this aspect of relationship management far better than others. In many cases, outsourcers monitoring includes conducting vulnerability management scans and simply handing off a report to the IT department that is running the scanned server without providing any focused feedback. The vulnerability report may cover thousands of issues and simply telling your vendor that all issues must be immediately fixed is not a recipe for success. In most cases, a targeted remediation request will resolve the important issues. Go with what’s important.

Recommendations: Finally, remember that building a TPRM program is a long-term improvement cycle process. The use of the OODA Loop, not just to manage the information around your third parties, but also for the improvement to your TPRM system is mission critical. Research your metrics to make sure they will provide useful information instead of churn.

Set out clear expectations that matter. Don’t waste time. So that all parties involved are making better use of existing resources, concentrate program design and implementation efforts by acutely focusing on the most vulnerable, high risk vendors in your processes.

Understanding where you are today, the improvements you make tomorrow, and knowing what your ultimate goal is for program maturity – all of these are key to success. The Shared Assessments Program has honed a valuable, freely available tool that all companies can and should use to benchmark their program maturity. The Vendor Risk Management Maturity Model (VRMMM) Tool, helps TPRM practitioners at all levels of goal setting, program development, and continuous program improvement. The Tool is available at:https://sharedassessments.org/vrmmm/.

Bob Maley, CTPRP, CRISCis an award winning senior leader in information security and a strategic thinker with experience as an information security strategist designing and building information security programs for PayPal Holdings, the Commonwealth of Pennsylvania, and for the healthcare sector.

[1] Publication JP 2-01.2. Joint and National Intelligence Support to Military Operations. July 5, 2017.

To read part one of this report click here.

The post Part 4: Third Party Risk Management (TPRM) – A Series in Program Development appeared first on Security Current.

Part 3: – “Strengthening Your Strategy” – How Do You Make the Most of Continuous Monitoring?

This is the third of a four part series. To read part one of this report click here.

This series has been designed to help CISOs and other risk management practitioners examine their programs from a unique perspective – one in which the objective problem your organization is trying to solve takes center stage and risk managers can effectively respond as that problem morphs over time.

The vagaries of program building: To effectively reduce the uncertainty and potential impact of third party risk, every program must efficiently integrate the complex landscape of people, processes and technology. You cannot simply expect that your program will be humming along and proficient in six months.

TPRM programs require management of layered complexities, with dependencies and interdependencies that range from the need for specialized workforce engagement and retention, to socioeconomic and geolocation concerns, to legal and regulatory compliance. This complexity extends beyond your program’s control to factors that are under the control of other business units within your organization, as well as those controlled by your third parties and their subcontractors (nth parties). A mature Third Party Risk Management (TPRM) program goes well beyond regulatory compliance.

So, how can you get your program from where you are to where it needs to go, so that you can gain greater insight and better manage the risks your organization faces every day?

From the ground up, it is essential that all business units and functions have a seat at the table when it comes to designing, executing, and improving your program. This means it is important to engage with representatives from procurement, risk, legal, internal audit, and all other stakeholders in aligning the program’s design with company goals. As you educate stakeholders on what you are trying to achieve in your TPRM program, you can collectively set expectations that meet the everyone’s needs, gaining greater buy-in that can translate to higher levels of program maturity over time.

Building your strategy: Strategy and tactics work in tandem and should not be confused. “Strategy defines the organization’s risk management goals; the tactics are the means by which those goals are achieved.”^[2]

A trap is set if you believe you can follow your tactical process steps and come out the other end of the funnel with strategic success. There is a need to align your tactics to your organization’s culture, processes, rules, expectations, measurable objectives, and other relevant needs.

• Your strategy should document your TPRM program goals and measurable objectives, both of which need to be in line with your organization’s overall risk management goals.

•  Your tactics will be the tasks and processes you will use to achieve those strategic goals.

However, in the execution of the tasks and processes, TPRM professionals often lose sight of the need to adapt their tactics to stay aligned with strategy. To gain any measure of agility in risk management, tactics need to be regularly adjusted based on information gathered from your management experience – i.e., what works and what doesn’t work.

Continuous monitoring – separating fact from fiction: What is continuous monitoring really? It is a nascent tactical solution that is gaining traction globally with outsourcers. In some regulatory environments, it has recently become a required part of TPRM programs.^[3] Everyone is talking about continuous monitoring – looking at their vendors in real time hoping to better understand the risk these vendor relationships pose.

The problem of using continuous monitoring to ensure that your tactical solutions will accomplish your goals gets ever more complicated due to the variety of demands – legal, geopolitical, socioeconomic, workforce skills and other demands – that compete for attention. In the real world, no one solution provider can possibly cover all these areas of expertise.

There are multiple components that need to be considered in order to demonstrate value in a continuous monitoring score, or the lack thereof. To have data that is reliable, accurate, and predictive, you need to know:

• exactly what data is being deemed “on a continual basis” and used to effect a change to the score;
• how accurate that data is; and
• whether the resulting score has a useful level of precision that would indicate that any daily score fluctuations are in fact useful indicators for the consumer of that continuous monitoring report.

And, you need to know how that data relates to your organization’s goals and objectives.

Monitoring efforts may be designed around something that is “required” and “expected” to make people feel safer. However, that can be misleading. If you take a third party’s continuous monitoring score, it can change over time, sometimes quickly and without sufficient accuracy or precision to be useful for risk managers. In that case, the scores provide only the illusion of meaningful insight into that third party’s security posture – what Bruce Schneier calls “security theater” – without doing anything to reduce the uncertainty surrounding a third party’s risk ecosystem.^[4]

Continuous monitoring is perceived as literal, real time data processing. However, the data used for continuous monitoring is more likely cyclical over a time period that is not instantaneous, e.g., updated over a cycle of 4 hours, days, or even weeks. Many definitions focus on security feed and monitoring – and make people simply feel safer, rather than protecting them more effectively. Not all data is available or easy to monitor in real time. For example:

• Domain Name Registry data can be viewed in a “continuous” feed, but in reality that data is only updated once every four hours (or less). In this case, every four hours would constitute “continuous” since that is its level of availability.
• Breach notification data is not real time and cannot be continuously monitored. Notification happens (by definition) after the fact. When a provider is breached that had provided a service to a large number of companies, there is a period of time between when the actual breach occurs and when public notification of that breach is made. During that interim time period, the customers of the vendor are notified as part of the incident management and notification process. However, a continuous monitoring service provider does not receive the breach notification until the it is made public. So, the continuous monitoring feed provision of breach notification is a delayed piece of “after the fact” information, which lowers the value of that notification.

Accuracy versus precision: Continuous monitoring vendors provide a scorecard or other ranked value, which the continuous monitoring vendor believes depicts the risk a given third party poses to your organization. Some of those scores are extremely precise, but very inaccurate.

For example, suppose your spouse/partner asks you what time you will be home for dinner, and your response is 6:00 pm. That is a very precise piece of data. But if you arrive home at 6:20, that precision was not very accurate, nor was it useful. We know there are many factors in determining what time you will actually arrive at home, things such as workload, traffic, unexpected interruptions, etc., but you could look back over time and use data to determine that in reality you usually arrive between 5:55 and 6:45, with the average arrival time of 6:15. Instead of being precise, you may want to respond that you will be home between 6:00 and 6:30, thus improving your accuracy and decreasing the uncertainty of your actual arrival time, which would prove a more useful estimate for your spouse/partner. You could also say between 4:00 and 9:00 pm, which is very accurate, but no has useful level of precision for planning purposes.

In the world of continuous monitoring, score ranges, such as 0-10, 1-100, 1-1000 are used. Let’s assume the value range under consideration is 0-10, calculated to two decimal places. You achieve a score of 4.75, which is extremely precise. But four hours later, new information changes that score to 4.76 – again extremely precise. However, the change is virtually meaningless, because it does not help you understand what’s really happening.

Let’s go one step further. Let’s say that the change is score is significant, going from 4.75 to a 1.25. This is significant enough to be called a trigger event. In your tactical processes, you need to have a plan in place ahead of time that defines what triggers are based upon and what your plan of action is when a trigger event occurs with one of your vendors.

Getting better accuracy: Compound these examples using proprietary scoring methodology that are not transparent in their analysis and now the uncertainty around how precise and accurate that score actually is increases. Add more uncertainty to the equation as the incoming continuous monitoring data fluctuates, and it becomes difficult to understand just how much risk that vendor poses to your organization. The usefulness of the score drops even further if you don’t have an understanding of the quantitative risk in that particular vendor relationship.

A better way to attain a more suitable picture is to provide a grade (score) with a useful degree of precision, based on accurate, relevant data, that is calculated by an open source community-tested methodology that allows you, the end user of the data, to align that information with your own organization’s unique defined risk appetite. That approach provides real relevancy to a score, which gives meaningful intelligence that can be used to reduce the uncertainty of the potential risk posed by that vendor.

Reducing churn: In the world of continuous monitoring, information churn is created when data is collected and reported that does not relate to your organization’s risk management needs. If your actions are based on information that is poorly aligned with your TPRM goals, sooner or later you’ll find that your actions are not yielding results that are in keeping with your organization’s needs. You will experience churn, ill-advised decisions, and wasted effort.

At some point, your organization will have to understand whether the information it receives can be acted upon in a way that is aligned with its own unique needs. You need to ask, “how was that score derived?”  If your continuous monitoring solution has a proprietary, non-transparent algorithm (i.e., a black box), you have to be willing to accept the score without know the answer to that question.

In a real world example, a vendor was identified as being on the Office of Foreign Assets Control (OFAC) list, which restricts by regulatory mandate the use of specific vendors for a specific service or services. The outsourcer used this alert as a trigger and launched a response, which in turn created significant churn. Instead, the outsourcer could have reduced churn in two ways. First, the outsourcer could have determined this was a single source vendor, so the use of this third party remained important. Second, the outsourcer could have determined if the service listed was one for which that third party was contracted. If not, then the OFAC alert could be flagged for future reference as not reflecting the outsourcer’s risk management requirements.

In this case, the vendor’s listing on OFAC constituted a continuous monitoring alert, so the company performed a quantitative analysis and determined there was little to no risk, unless the OFAC service was used. To reduce churn over time in this type of situation, the continuous monitoring score needs to able to automatically reflect that the OFAC score does not reflect the outsourcer’s business needs, and that factor needs to be updated if that status changes for any reason.

Recommendations: Know your mission – to reduce the uncertainty around the risk exposure in the most cost effective manner that you can – and stick with it.

You can plan for a higher level of success by underpinning your tactics with a standardized, industry-vetted program model, such as the Shared Assessments Program. You can also make sure that your workforce speaks the business language of risk and business impact, which most do not.

To build a more successful process:

• Define your mission.
• Align your strategy to that mission.
• Base your tactical processes with that strategy in view.
• Use the OODA Loop (Observe-Orient-Decide-Act) to guide your tactical processes.
• On a regular basis, based on your OODA experiences, measure and document the improvements that you make to your tactics.

The combination of a strong set of tools and a robust understanding of impact will naturally lead to the understanding that you cannot just flip a switch and have a mature TPRM program. Building a robust program takes quantitative analysis, careful integration of data into your processes, and a vision that includes a step process for improvement over time. Resources are available that can help guide your quantitative analysis, including the Factor Analysis of Information Risk (FAIR) Model approach to risk analysis.

Pay attention to staying onmission – don’t get bogged down in tactical complexities – instead focus on your strategic clarity. Your tactics should morph over time, driven by the results achieved from those tactics. Tactics should be driven by your strategy, rather than falling into the trap of thinking that you are achieving your strategic goals just by executing tactics that may be falling short of your strategic goals.

Next Steps: The first three articles in this series covered: (1) examining your TPRM program’s objectives; (2) understanding the conditions that create third party risk; and (3) refining your strategy. The final article in this series will discuss optimization of your assessment efforts, contracts, and treating your third parties as trusted, valued partners.

Bob Maley, CTPRP, CRISCis an award winning senior leader in information security and a strategic thinker with experience as an information security strategist designing and building information security programs for PayPal Holdings, the Commonwealth of Pennsylvania, and for the healthcare sector.

[1] Vendor Risk Management Maturity Model (VRMMM) Program Maturity Levels. The Santa Fe Group, Shared Assessments Program. 2019. Reprinted with Permission.

[2] Innovations in Third Party Continuous Monitoring: With a Name Like OODA, How Hard Can It Be? The Santa Fe Group, Shared Assessments Program. 2018.

[3] Examples of industry-specific guidelines for monitoring governance include European Banking Authority Updated Guidelines on outsourcing arrangements. EBA. February 2019; AT 9 Outsourcing. August 15, 2013. Germany’s Federal Financial Supervisory Authority (BaFin); Commission Delegated Regulation (EU) 2015/35. October 10, 2014. Official Journal of the European Union. January 17, 2015; Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist. American Bar Association (ABA). November 2016; European Union (EU) Regulation 2016/679, better known as the General Data Protection Regulation (GDPR). April 14, 2016. Effective May 2018. EU Parliament; FFIEC Information Technology Examination Handbook. Appendix J: Strengthening the Resilience of Outsourced Technology Services. FFIEC. February 2015; New York State Department of Financial Services cybersecurity regulation 23 NY CRR500. New York State Department of Financial Service. March 2017; Outsourcing Risk Management. Monetary Authority of Singapore (MAS), March 2013; SYSC 8.1 General Outsourcing Requirements. May 2016. United Kingdom’s Financial Conduct Authority (FCA); Third-Party Relationship: Supplemental Examination Procedures Bulletin. OCC 2017-7. January 2017; OCC Advisory Letter 2000-9; February 2015; Third-Party Relationships: Risk Management Guidance. Office of the Comptroller of the Currency (OCC). OCC Bulletin 2013-29. October 30, 2013; Third-Party Relationships: Risk Management Principles. OCC Bulletin 2001-47. Adapted from The Santa Fe Group, Shared Assessment Program. 2019.

[4] Schneir, B. Beyond Fear: Thinking Sensibly about Security in an Uncertain World. 2003. Copernicus Books. https://www.schneier.com/books/beyond_fear/

To read part one of this report click here.

The post Part 3: Third Party Risk Management (TPRM) – A Series in Program Development appeared first on Security Current.

Part 2: – “Knowing Your Ground” – What Conditions Create Third Party Risk?

This is the second of a four part series. To read part one of this report click here.

This series has been designed to help CISOs and other risk management practitioners examine their programs from a unique perspective – one in which the objective problem your organization is trying to solve takes center stage and risk managers can effectively respond as that problem morphs over time.

Understanding the conditions that create the need for Third Party Risk Management (TPRM): Using the OODA Loop approach (covered in Part 1 of this series) requires a clear understanding of why you need a TPRM program. Your program’s mission should mirror the defined objective of any solid TPRM program: “… to cost effectively manage the risk associated with third parties.”[1]

From a cyber security perspective, the need for TPRM is frequently viewed through the lens of regulatory compliance. For example:

• New York State’s Department of Financial Services 23NYCRR500 where, if you are subject to this regulation covering financial services and insurance firms in New York State, you are required to have a TPRM program.
• Globally, Singapore MSA, Luxembourg, and many other global regulations require you to have a TPRM program in place.

However, regulatory compliance is just a check box. It does not mean your company is “safe.” From a broader perspective, events across the triad of Confidentiality, Integrity, Availability (CIA) can significantly affect your business, though these elements are not as easy to quantify in many cases.

• Availability: This factor is the one that most clearly demonstrates to senior management the need for allocation of company resources for TPRM. Availability is operationally critical to your customers, and therefore easily translates into return on investment when viewing cost of TPRM resources to protect this CIA component. Procurement and other stakeholders can readily establish the cost associated with loss of availability of services when a downstream vendor cannot perform, as well as the market cost associated with such a performance failure.
• Confidentiality & Integrity: These components overlap in some areas. Primarily, they are concerned with which vendors have access to your company’s key assets (customer information, proprietary data, etc.). All types of access need to be considered, along with the risk that each access type poses to the company as a whole. The financial impact to your company is harder to define in these scenarios. For instance:
  • Confidentiality is involved when a marketing company shares lists with criteria for vendors who will carry out specific tasks using that information. This list might include PII and certainly involves data access for vendors who require data directly from your systems, such as call centers that provide customer support in the form of customer PII information gathering.
  • Direct or pervasive access to systems and/or information covers both Confidentiality and Integrity. A vendor may be identified as having low risk access; however, that access can be insidious when a seemingly low risk vendor can provide unintended and unguarded access into your network for a hacker. This was seen in the now infamous Target breach, where the company’s HVAC vendor’s credentials were breached, and hackers were able to pivot off other servers to locate the POS system and inject code into POS terminals to capture sensitive information).

Getting a handle, the use of program resources: This is the “big” problem. In smaller firms, the number of vendors that an outsourcer uses may be in the low thousands. When global organizations are involved, the number can quickly skyrocket into the tens of thousands. In either case, this scale instantly overwhelms the resources your company can make available for controls assessment and relationship management.

The OODA Loop can be key to gaining a foothold, starting with documenting the potential impact that each type of outsourced service can have on your company. Typically, this entails review of several important factors that can impact business functionality and resiliency. Those factors can be seen where:

• The inherent risk posed by a given service or product may not match the residual risk and the actual potential impact to your company.
• Procurement’s view of the total spend on a given vendor exceeds a given threshold.
• Concentration risk is posed by use of a given vendor or single source vendor.

A better way to understand the impact to your company is to understand your metrics, which you can refine quickly by employing the OODA Loop to determine which metrics provide useful feedback and which do not. Some less mature programs view indicators using such terms as “sensitive information,” which may be internally defined and/or defined by regulatory guidelines or industry standards. But this approach still means that you may be falsely looking at a single metric (i.e., sensitive information) without refining that metric for the actual tie between criticality or impact from a given vendor and that vendor’s access to the information involved in the relationship.

What would be the financial impact to your company if the confidentiality of that sensitive data was breached? How do you calculate that? In Part 1 of this series, I recommended the use of a model that provides both qualitative and quantitative evaluation. In Measuring and Managing Information Risk: A FAIR Approach, Jack Freund and Jack Jones examine the Factor Analysis of Information Risk (FAIR) Model approach to risk analysis. This method adopts a standardized process with guided scoping so that you ask the ‘right’ questions in developing your risk scenarios across a range of risk probabilities and types. The result is a calibration of risk across your organization, from which risk managers can gain meaningful context and develop actionable metrics for TPRM assessments, including those used in continuous monitoring.

For example, if you share 1,000 records of customer data with one marketing company and you have a second company that you share a million records with, both companies are handling high risk “sensitive information.” But using the more limited “sensitive information” metric as criteria for vendor risk rating covers only one factor in determining the potential impact to your company. While both vendors handle customer data, clearly the vendor that has access to a million records poses a significantly greater confidentiality risk for your company. The cost involved per record and the cost of your company’s reputation are both major metrics in the case of the second vendor.

Applying this type of focus gives you the ability to make better use of existing resources so that you can acutely focus on the most vulnerable, high risk vendors in your processes.

Recommendations: Look at your processes and examine them in retrospect on an ongoing basis. TPRM is not “one and done.” You have to revisit the processes, policies, procedures and the criteria (metrics and thresholds) that you use to guide analysis. Revisit audit findings that require remediation and contract negotiations that require exceptions approvals, as these are good guideposts for improving your program.

Most importantly, the sheer volume of risk management means that you must understand and document the needs in your company’s unique ecosystem, and then apply continuous improvement to your process.

Next Steps: The first article in this series covered examining your TPRM program’s objectives. The remaining articles in this series will cover:

• Examining your strategy:
  • Controlling your TP risk landscape.
  • Optimizing your assessment efforts.
  • Contracts and contract language.
• Treating third parties as trusted and valued partners.

Bob Maley, CTPRP, CRISC is an award-winning senior leader in information security and a strategic thinker with experience as an information security strategist designing and building information security programs for PayPal Holdings, the Commonwealth of Pennsylvania, and for the healthcare sector.

[1] Freund, Jack. & Jones, Jack. Measuring and Managing Information Risk, A FAIR Approach. Butterworth-Heinemann. 2014.

To read part one of this report click here.

The post Part 2: Third Party Risk Management (TPRM) – A Series in Program Development appeared first on Security Current.

Part 1: – “Doing It Right” – What Problem Are You Trying to Solve?

This is the first of a four part series.

This series has been designed to help CISOs and other risk management practitioners examine their programs from a unique perspective – one in which the objective problem your organization is trying to solve takes center stage and risk managers can effectively respond as that problem morphs over time.

Key to your mission statement, i.e., why your program exists, is to effectively manage the risk surrounding third party risk in your organization’s entire ecosystem. In its most basic form, risk management is “the combination of personnel, policies, processes and technologies, and processes that lets you achieve and maintain an acceptable level of loss exposure.”[1]

TPRM Objectives: What are your objectives and what should they be? It seems simple to say that risk managers must keep their eye on the ball – the overarching, twin objectives that all TPRM programs encompass, which are:

Measuring and controlling actual risk versus just managing compliance; and

Balancing that need against cost efficacy.

The members of your third party ecosystem have access to confidential information, intellectual property, and/or critical systems. Consequently, your organization is only as secure as your third party partners’ cyber security capabilities.

Gaining Context:  Benchmarking studies demonstrate that programs fall far short of the targets set for robust risk management.[2] “Cluelessness” in risk management emerges when we fail to recognize and respond to the original fundamental program goals as they change over time. For example, over the course of a three-year strategic plan for the program, the entire value proposition for a goal may no longer be relevant due to the rapid evolution of threat factors that pose new risks in the real-time environment at any given point during those three years. By adopting a static long-term strategy without allowing for it to shift in response to the actual real-world, we will have failed to correct our trajectory.

To gain context, a model that provides both qualitative and quantitative evaluation is required. In Measuring and Managing Information Risk: A FAIR Approach, Jack Freund and Jack Jones examine the Factor Analysis of Information Risk (FAIR) Model approach to risk analysis. This method adopts a standardized process with guided scoping so that you ask the ‘right’ questions in developing your risk scenarios across a range of risk probabilities and types. The result is a calibration of risk across your organization, from which risk managers can gain meaningful context and develop actionable metrics for TPRM assessments, including continuous monitoring.

Evaluating Risk & Developing Strategy: An analogy is widely used to demonstrate the value people devise around risk. This analogy is the “Bald Tire” scenario.

Think about a tire for a moment. As you visualize the tire you can see that it is very bald, so much so that the cords are easy to see. Now, before you move on to the next point jot down what risk that tire presents.

Now imagine that the tire is hanging on a rope from a tree. Does this change your view of the risk the tire presents? Make a note of your thoughts.

As you continue to imagine the tire, you notice that the rope is significantly frayed. Does this change your risk view? Make a note!

Go one step further and imagine now that the tire is hanging over a cliff, with a 100 foot drop and sharp rocks at the bottom of the cliff. Now, analyze your risk again in this new scenario?

What is your actual risk in all the scenarios? In the first scenario did you think about dangerous driving, perhaps on wet roads with catastrophic results? Were you relieved in scenario two and imagine a serene swing, only to have the serenity dashed scenario four?

You were asked to determine the risk surrounding the tire and nothing else. Most people who walk through this set of scenarios insert presumptions in each step as I noted. Did you?  In reality, in the scenario provided, the only risk is to the asset (the tire). So, what if the rope breaks and the tire plunges to its demise at the bottom of the cliff, the only lose is the minimal value of the tire.  It’s human nature to imagine threats outside of a particular risk scenario.  This is the challenge in understanding TPRM.

Now, take this exercise one step further and define a different scenario. The tire is your third party. Apply the same scenarios as above. Does YOUR risk change as outsourcer? No, your risk does not change at all, because the third party intrinsically means nothing to you yet. Obviously, there is risk to the third party; however, until that third party gains access to something of value from your company (sensitive information, critical service provision, and/or network connectivity), the outsourcer’s risk posture does not change relative to a given third party.

Controlling Your TPRM Landscape: What is the value of what your third parties are doing for you? In the answer to this question lies how you can improve TPRM maturity and get up to speed quickly. TPRM is a multi-faceted, multi-year effort. Third party risk is far too complicated to have a single magic tool. Indeed, if TPRM is worth doing, it is worth doing right. In other words, it is essential to concentrate on focusing your resources on establishing a program with strong fundamentals. Studies show that mature programs are well out of the reach of most organizations. In these programs, there is often evidence of ‘cluelessness’ where a number of factors point to the fact that an organization is wasting its time and resources (both its own and its third parties) and is not achieving its objectives for its TPRM programs. Examples include dogmatic inflexibility about trivial metrics, a lack of recognition of the diminishing value of exhaustive (unscoped) questionnaires, and development of risk formulae that are not relevant or actionable.

With disruption so common in the business model, key to creating a successful TPRM program in a short period of time and getting it up and running effectively is the application of the Observe-Orient-Decide-Act (OODA) Loop model. The Shared Assessments Program’s Innovations in Third Party Continuous Monitoring: With a Name Like OODA, How Hard Can It Be? white paper provides a deeper understanding of what the OODA Loop model is and how it applies to TPRM.

Figure: The Parts of the OODA Loop[3]

Are you Clueful about TPRM? It is easy to tell if you are “clueful” or not. If your program lacks evidence of value determinations (e.g., in the tire model), then you may be non-clueful. If your program consists of long questionnaires (non-targeted, non-directed, metrics are horrible and non-actionable), that might indicate you are non-clueful. Being non-clueful might also be demonstrated if a concern identified during an initial audit and/or regulatory examination is not addressed in a timely fashion and the same issue is still present the following year when that concern would now be considered problematic.

Recommendation: The Shared Assessments Program provides a free Vendor Risk Management Maturity Model (VRMMM) tool, which risk managers can use to conduct a best practice benchmark evaluation of their TPRM program.

When utilizing the VRMMM, be frank and honest so that you can get an accurate benchmark. The first findings will help identify deltas to demonstrate to senior management that you have set well-defined goals and are continuously improving your program.

The remaining articles in this series will examine:

Understanding and quantifying the conditions that create third party risk.

Examining your strategy:

Controlling your TP risk landscape.

Optimizing your assessment efforts.

Contracts and contract language.

Treating third parties as trusted and valued partners.

Bob Maley, CTPRP, CRISC is an award winning senior leader in information security and a strategic thinker with experience as an information security strategist designing and building information security programs for PayPal Holdings, the Commonwealth of Pennsylvania, and for the healthcare sector.

[1] Freund, Jack. & Jones, Jack. Measuring and Managing Information Risk, A FAIR Approach. Butterworth-Heinemann. 2014.

[2] Annual Vendor Risk Management Benchmark Study. 2014-2018. The Santa Fe Group, Shared Assessments Program and Protiviti, Inc.

[3] Innovations in Third Party Continuous Monitoring: With a Name Like OODA, How Hard Can It Be? The Santa Fe Group, Shared Assessments Program. 2018. Reprinted with Permission.

The post Third Party Risk Management (TPRM) – A Series in Program Development appeared first on Security Current.