Third Party Risk Management (TPRM)
Third Party Risk Management is the process of identifying, assessing and controlling or mitigating the risks associated with outsourced critical functions, services and external parties.
Third Party Risk Management or TPRM is managing risks related to the third parties or called as vendors, suppliers, contractors and service providers.
Third party risks can be further categorized as:
- Operational risk
- Information security risk
- regulatory risk
- financial risk
- strategic risk
Since third party relationship are very critical to business, risk management is also important to safeguard the Organization. Every organization depends on third parties to receive any service or support.
Even in some scenarios, those vendor use another sub vendor to provide the service. Those are known as fourth party.
Anyway we are discussing about the third party assessment here. During the service, the third party have some access to the primary organization, its information systems, its confidential data and information during the engagement.
There are possibility of sharing many different kinds of data/information with consent or without consent which are such proprietary or confidential business information, personal data like (name, address, mobile number), employee data, employee benefit information, financial data, bank account information, credit card/ debit card data, organization insider information, IP address, location, system configuration, Source code of software, Access control list, network configuration data, customer data, corporate customer data, internal reports, passwords/pins, login credentials, etc.
So in case of any incident happens such as data breach, cyber attack, data theft at third party environment, it also creates threat to the primary organization. As well it impacts towards the employee and resources, which also involves the reputational damage.
Key Components of TPRM
- Risk Assessment
- Due Diligence
- Contractual Safeguard
- Ongoing Monitoring
- Incident Response
In ISO/IEC 27001 standard, we have supplier relationship clauses which says, each organization should identify and document their vendors name, type of service they provide in one place. Also the type of information access that the supplier has needed to be mentioned. There should Non Disclosure Agreement (NDA) need to be signed between the organization and its suppliers/vendors. There shall be a supplier agreement which needs to be established.
The supplier agreement should contain at least below items;
- Description or list of information to be provided or access rights is given.
- Information must be classified based on the criticality (Restricted, Confidential, Internal, Public).
- All the legal and contractual requirements.
- Acceptable usage policy
- Scope or service description
- Information Security policy which are applicable
- Right to audit supplier process and controls
- SLA terms and penalty conditions
- Many more are there to be decided by organization and the committee.
During an on boarding phase of a third party or vendor in to an engagement, an initial assessment, Due Diligence activity should also be there which can include many end to end questionnaires need to be answered and answers should be analyzed to determine the risk in the engagement.
Few assessment questionnaires are listed below as a sample:
- Whether there is BCP plan ready for the engagement or not?
- What will be financial impact in case of any breach happens?
- Is there any data breach history available or not?
- How many employees are there in the organization?
- What about the infrastructure and scope?
- What are the applications the supplier wants to provide support?
- What is data retention policy?
- How data are managed, stored, deleted?
- How hosting service is being carried out?
- How vendor is accessing data in which medium?
- Is there technologies involved or not such as DLP, encryption, HTTPS, FTPS?
- Is there escalation matrix drafted or not?
- Is there information security policy ready or not?
Based on the answers, the risk can be calculated and vendor profiling can be made. These assessments should at least carried out for vendors in a time interval to ensure, if there is any change occurred in people, process, technology and location occurred. Similarly risks can be classified as Critical, High, Medium, Low for each vendor.
When there are higher risk calculated then risk assessment will be there and vendor will be assessed again and again to determine the threats and vulnerabilities. Impact should be analyzed. Because threats and vulnerabilities change in time. The risks identified must be closed in remediation phase or risk treatment phase and it should be continuously monitored.
During risk treatment or remediation phase, there are lots of controls which can be considered and followed from the standards, guidelines and organization own policies.
There might be questions come to mind, if a vendor not agrees to follow the TPRM process or denies to sign the NDA. It is simple that never sign contract with that vendor and choose an alternative vendor. There are many available in the market.
In case alternative not available, then the SLA and contract should be revised and should be accepted by both parties as per applicable law.
Example of some TPRM tools those help organizations in managing the third party risk are as;
- RSA Archer
- OneTrust
- ServiceNow
- SignalX
- Aravo
- Prevalent
Below is an illustrative of TPRM process
(Image source: mazars.us)
Therefore this all about TPRM basics, while this is very vast domain and its future scope is large. All the TPRM process come and fall within Risk Identification, Risk Assessment or evaluation, Risk remediation and Risk monitoring phases come within a Third Party Risk Management.If you have any comments and suggestions please provide.
You can further refer to below links for more information
https://signalx.ai/blog/11-best-tools-for-third-party-risk-management/
https://www.onetrust.com/blog/third-party-risk-management/
Thank you.
-DR