In an average organization, a considerable part of work is outsourced to vendors and suppliers (or third-parties). Third party risk management (TPRM) is the process by which organizations manage their suppliers.
It usually starts with the vendor who provides the hardware and networking equipment. Followed by the operating system on each computer and the software installed on workstations and servers. When we dive into the business processes and functions, there is a visible trend to outsource to cloud providers. So a third-party vendor may be involved every step of the way.
The organization has to successfully manage all business-critical data and information which flows through its vendors and suppliers. The business goal is to protect the critical and confidential data that allow the business to profit and grow, as it manages the risk exposure. This is the main goal of TPRM. On top of this, often an organization can have regulatory and compliance pressure to establish risk management procedures and documentation.
With this context in mind, this post is meant to help organizations get started in managing the risks linked to their vendors and suppliers. As this can become a complex project, we will keep it simple and distinguish between critical and non-critical suppliers.
On a high level we can differentiate between:
Critical - a key supplier, vendor, provider or host, who is core to the operation of your organization and is responsible for critical and confidential data.
Non-critical - all third parties who support business processes, but without which your business is still able to function, and which are no threat to business continuity.
Next is understanding the potential impact these two types of third-parties can have on your organization. To get this clear, it is key to know how your organization outsources risk to its vendors and suppliers. This is your current TPRM, as it is today. This is not a one-off effort but an ongoing process that needs to become consistent and mature. TPRM done right helps to express levels of confidence about risk exposure to business decision-makers.
When we focus on the impact of critical vendors and suppliers, some examples of disruption of business continuity are due to a cyber-attacks or data breaches, GDPR fines, or other types of fines, and resulting reputational damage that could lead to business loss.
As daunting as the impact can seem to be, all organizations face the same context which is another reason why it is a critical process to take control over. Once you have identified the critical and non-critical vendors and suppliers, there are a few things to keep in mind:
● Focus on the critical ones and make sure you have a clear view of the types of risks that are under your control, and what can be transferred or avoided.
● Consistently improve the risk review processes, including your risk assessments and review procedures.
● Non-critical suppliers can become critical with a simple contract change, a new service or product. Follow them automatically through security ratings, monitor changes, via an onboarding questionnaire, yearly or bi-yearly questionnaire.
● Review more than once a year to follow up on open risks, vulnerability scans, penetration tests results, or automated security rating scans.
If you need help getting a clear view on your critical and non-critical third-parties, Ceeyu can support your organization to get started.
If you would like to know more get in touch at [email protected]
Cybersecurity professional experienced in cross-functional roles bridging between top management, risk functions, IT and security operations teams. With a knack for TPRM and digital footprint.