How Onsite Assessments fit into your TPRM Strategy
TPRM and Third-Party Vendor Assessments
Third-Party Risk (TPR) is a major concern for many organizations, especially those that are required to demonstrate compliance with strict industry regulations, such as financial institutions. Vendor assessments are a great first start for organizations trying to kick start their Third-Party Risk Management (TPRM) program. Assessments are critical for understanding the risk you’ve inherited from your vendors, and for creating a plan to mitigate that risk. Every organization’s risk profile is different depending upon regulatory requirements, risk tolerance, and the type of data that requires protection.
Why choose an Onsite TPVA?
Onsite assessments are one type of Third-Party Vendor Assessment (TPVA), and can be a great fit to evaluate an organization’s high-risk risk vendors. This type of assessment is designed to assess vendors that process, store, or transmit critical data and information, such as personally identifiable information (PII). As part of the onsite assessment process, the assessor meets with the vendor to evaluate the vendor’s policies, procedures, and in-place controls. It is critical that the assessor has a foundational understanding of the data flows (how is data transmitted between the vendor and your organization – SFTP, API calls, secure email, etc.). An understanding of the data flows helps determine the scoping of the relevant controls for the success of the assessment.
We are often asked what organizations can do to ensure the highest rate of success with their vendor assessment processes. Below are some recommendations to help you get started with an onsite assessment in support of your Third-Party Risk program:
Identify stakeholders and their needs
Based on the size and complexity of your organization, stakeholders that may have an interest in the success and effectiveness of your TPRM program may include the Board of Directors, Internal Audit, Information Technology, Information Security, Sourcing or Procurement, Business Line Partners, Risk Management, Regulators, and even potentially your customers. Start by understanding what your stakeholders need and how they potentially will use or act on the results of a TPVA. Are there stakeholders that are interested in the details of the vendor assessment results or a summary report? Knowing your stakeholders and their needs is a key pillar to a successful TPRM program.
Foster relationships
Don’t underestimate the power of developing relationships with both internal stakeholders, as well as your vendors. At the end of the day, every organization is working towards the same goal of managing the risk and ensuring the protection of sensitive data. However, every organization has different risk profiles and risk tolerances. We find it is usually more about educating the stakeholders on the vendor assessment process that helps us achieve the overarching goals of the TPRM program — turning the internal stakeholders and vendors into supporters and sometimes even fans.
Ask the right questions
Learning to ask the right questions is critical to an assessment’s success. In addition to asking the right questions, it’s important to follow up and dive into the details on relevant topics. The assessor should be asking the right questions to understand the full scope of the vendor’s environment (I.e., network architecture, use of data center colocation providers, use of Cloud Services, application security controls, database controls, cryptographic controls, use of managed service providers, etc.). For example, there’s a big difference between asking a vendor if they use Windows, as opposed to asking what operating system they use for their server environment. If both Linux and Windows are used, the answer to the first question is still yes, whereas the second should yield a more complete picture. This example might be overly simplistic, but the approach is the same — open-ended questions typically produce better results.
Understand the technical landscape
Vendor assessments typically have an information security bend to them. As such, it is imperative that an assessor has a better than average knowledge base of security best practices. Like most any other industry, Information Technology (IT) and Information Security (IS) professionals are prone to the use of acronyms as part of a normal everyday discussion (e.g., SIEM, DNS, DB, OS, CASB, SDLC, IR, DR, DLP, AES, DAST, WPA2, FW, MSP, MFA, etc.). If you are not maintaining an ongoing awareness of industry trends, then you will be left behind and, as a result, not be able to maintain a level of credibility with those IT or IS professionals that you are interacting with as part of the vendor assessment.
Interested in learning more about Third-Party Vendor Assessments and how MindPoint Group can help you improve your TPRM program? Contact the MindPoint Group team to learn how we can help you develop a program from the ground-up or simply enhance your existing program.
Resources:
https://www.fdic.gov/regulations/resources/director/presentations/dallas/2013-Third-Party-Risk.pdf
Contributors:
Kelley Grogan