Part 2: – “Knowing Your Ground” – What Conditions Create Third Party Risk?

This is the second of a four part series. To read part one of this report click here.

This series has been designed to help CISOs and other risk management practitioners examine their programs from a unique perspective – one in which the objective problem your organization is trying to solve takes center stage and risk managers can effectively respond as that problem morphs over time.

Understanding the conditions that create the need for Third Party Risk Management (TPRM): Using the OODA Loop approach (covered in Part 1 of this series) requires a clear understanding of why you need a TPRM program. Your program’s mission should mirror the defined objective of any solid TPRM program: “… to cost effectively manage the risk associated with third parties.”[1]

From a cyber security perspective, the need for TPRM is frequently viewed through the lens of regulatory compliance. For example:

  • New York State’s Department of Financial Services 23NYCRR500 where, if you are subject to this regulation covering financial services and insurance firms in New York State, you are required to have a TPRM program.
  • Globally, Singapore MSA, Luxembourg, and many other global regulations require you to have a TPRM program in place.

However, regulatory compliance is just a check box. It does not mean your company is “safe.” From a broader perspective, events across the triad of Confidentiality, Integrity, Availability (CIA) can significantly affect your business, though these elements are not as easy to quantify in many cases.

  • Availability: This factor is the one that most clearly demonstrates to senior management the need for allocation of company resources for TPRM. Availability is operationally critical to your customers, and therefore easily translates into return on investment when viewing cost of TPRM resources to protect this CIA component. Procurement and other stakeholders can readily establish the cost associated with loss of availability of services when a downstream vendor cannot perform, as well as the market cost associated with such a performance failure.
  • Confidentiality & Integrity: These components overlap in some areas. Primarily, they are concerned with which vendors have access to your company’s key assets (customer information, proprietary data, etc.). All types of access need to be considered, along with the risk that each access type poses to the company as a whole. The financial impact to your company is harder to define in these scenarios. For instance:
    • Confidentiality is involved when a marketing company shares lists with criteria for vendors who will carry out specific tasks using that information. This list might include PII and certainly involves data access for vendors who require data directly from your systems, such as call centers that provide customer support in the form of customer PII information gathering.
    • Direct or pervasive access to systems and/or information covers both Confidentiality and Integrity. A vendor may be identified as having low risk access; however, that access can be insidious when a seemingly low risk vendor can provide unintended and unguarded access into your network for a hacker. This was seen in the now infamous Target breach, where the company’s HVAC vendor’s credentials were breached, and hackers were able to pivot off other servers to locate the POS system and inject code into POS terminals to capture sensitive information).

Getting a handle, the use of program resources: This is the “big” problem. In smaller firms, the number of vendors that an outsourcer uses may be in the low thousands. When global organizations are involved, the number can quickly skyrocket into the tens of thousands. In either case, this scale instantly overwhelms the resources your company can make available for controls assessment and relationship management.

The OODA Loop can be key to gaining a foothold, starting with documenting the potential impact that each type of outsourced service can have on your company. Typically, this entails review of several important factors that can impact business functionality and resiliency. Those factors can be seen where:

  • The inherent risk posed by a given service or product may not match the residual risk and the actual potential impact to your company.
  • Procurement’s view of the total spend on a given vendor exceeds a given threshold.
  • Concentration risk is posed by use of a given vendor or single source vendor.

A better way to understand the impact to your company is to understand your metrics, which you can refine quickly by employing the OODA Loop to determine which metrics provide useful feedback and which do not. Some less mature programs view indicators using such terms as “sensitive information,” which may be internally defined and/or defined by regulatory guidelines or industry standards. But this approach still means that you may be falsely looking at a single metric (i.e., sensitive information) without refining that metric for the actual tie between criticality or impact from a given vendor and that vendor’s access to the information involved in the relationship.

What would be the financial impact to your company if the confidentiality of that sensitive data was breached? How do you calculate that? In Part 1 of this series, I recommended the use of a model that provides both qualitative and quantitative evaluation. In Measuring and Managing Information Risk: A FAIR Approach, Jack Freund and Jack Jones examine the Factor Analysis of Information Risk (FAIR) Model approach to risk analysis. This method adopts a standardized process with guided scoping so that you ask the ‘right’ questions in developing your risk scenarios across a range of risk probabilities and types. The result is a calibration of risk across your organization, from which risk managers can gain meaningful context and develop actionable metrics for TPRM assessments, including those used in continuous monitoring.

For example, if you share 1,000 records of customer data with one marketing company and you have a second company that you share a million records with, both companies are handling high risk “sensitive information.” But using the more limited “sensitive information” metric as criteria for vendor risk rating covers only one factor in determining the potential impact to your company. While both vendors handle customer data, clearly the vendor that has access to a million records poses a significantly greater confidentiality risk for your company. The cost involved per record and the cost of your company’s reputation are both major metrics in the case of the second vendor.

Applying this type of focus gives you the ability to make better use of existing resources so that you can acutely focus on the most vulnerable, high risk vendors in your processes.

Recommendations: Look at your processes and examine them in retrospect on an ongoing basis. TPRM is not “one and done.” You have to revisit the processes, policies, procedures and the criteria (metrics and thresholds) that you use to guide analysis. Revisit audit findings that require remediation and contract negotiations that require exceptions approvals, as these are good guideposts for improving your program.

Most importantly, the sheer volume of risk management means that you must understand and document the needs in your company’s unique ecosystem, and then apply continuous improvement to your process.

Next Steps: The first article in this series covered examining your TPRM program’s objectives. The remaining articles in this series will cover:

  • Examining your strategy:
    • Controlling your TP risk landscape.
    • Optimizing your assessment efforts.
    • Contracts and contract language.
  • Treating third parties as trusted and valued partners.

Bob Maley, CTPRP, CRISC is an award-winning senior leader in information security and a strategic thinker with experience as an information security strategist designing and building information security programs for PayPal Holdings, the Commonwealth of Pennsylvania, and for the healthcare sector.

[1] Freund, Jack. & Jones, Jack. Measuring and Managing Information Risk, A FAIR Approach. Butterworth-Heinemann. 2014.

To read part one of this report click here.