3 min reading Tue Oct 26 2021
Assessing the risks of your third parties, part 1: an introduction.
My previous articles were mainly focused on the risks introduced by your digital footprint. I've briefly touched on the non-controlled assets, or assets managed by third parties, without delving too deep into third party risk management.
Managing the risks of working with third parties goes far beyond some shared assets on your digital footprint. Think about shared processes, shared internal assets, data your share with your suppliers (be it confidential or not), databases, transactional systems, consultant's laptops on your network, or even physical access.
There are several layers of gaining a risk-based view of your third party. Aligning with the list above we can already enumerate;
- Shared external assets
- Shared internal assets
- Shared data
- Shared processes
- Shared access
The shared external assets are the web applications and their underlying servers managed and hosted outside your environment, the DNS and email systems, and other systems composing your digital footprint. For more information on these systems, I'd like to refer to one of my previous posts: the impact of your supply chain on your digital footprint and how to check and maintain a view on the security and risk exposure of your digital footprint. The latter article described setting up an automated system of enumerating external assets and deriving a risk exposure severity.
But let's focus on the other items on the list for this article. Solely enumerating and assessing these external assets will not provide you with that in-depth risk view of your supplier. Ideally, you have a process or a tool to help you determine how you work with them, what assets or other resources are shared with them, and what the risks are. You'd like to set up a system where you can not only get a view of these risks, but also start managing them.
Sending out self-assessment questionnaires to your third parties might be the most effective way to achieve this. The idea behind it is pretty simple; create a list of questions you'd like your supplier to answer (as objectively as possible) so you know where the strengths and weaknesses of working with them lie and where you need to focus your attention.
Unfortunately, this is easier said than done. Creating the most ideal questionnaire is very difficult. You need a good understanding of what your supplier does (and doesn't!), how critical their services are, and what you effectively want to know (cutting through the noise and distractions). Sending out the questionnaire via email and keeping track of their status requires quite some resources. Next, getting suppliers to spend a decent amount of time to reply and to provide relevant and quality answers. You need to take into account you're not the only one sending them questionnaires, there's a certain level of questionnaire-fatigue with mid to large-size suppliers which will make your task even more difficult. Next, when you get the completed questionnaire back you'll need to spend time reviewing and assessing it. And, finally, you re-iterate this process with your supplier and start working with them to rectify gaps and re-evaluate accordingly.
Lots of companies manage the above process with a spreadsheet, containing their questionnaires, and email, used to send out and track the progress with the different suppliers. Needless to say that this approach is prone to mistakes, costly on overhead, and difficult to standardize and automate. In the next couple of articles, I'll deep dive into a more standardized process, creating ideal questionnaires, and facilitating the follow-up of open risks. Stay tuned!
Jimmy is the founder, CEO and CTO of Ceeyu. Prior to founding Ceeyu, Jimmy was responsible for cybersecurity programs at large financial institutions and consulting company EY. Jimmy started his career as a security engineer. His duties included installing and managing firewalls, scanning infrastructure for vulnerabilities, and performing pen testing and ethical hacking.