, a VP at Gartner, where he advises CISOs, CIOs, chief risk officers and non-IT executives on maturing their security and risk practices.must engage stakeholders to define a policy, identify hazards and promote predefined mitigations.
The second step is to separate low-risk third-party engagements from high-risk engagements. This should be a collaborative exercise with the risk committee or board of directors to determine which cybersecurity risks the organization is willing to accept. To bring it all together, document a high-level policy for third-party cybersecurity risk. This clarifies for business, procurement, IT and stakeholders which types of third parties warrant investigation, what the expectations are and how their capabilities will be assessed.Many regulations require the assessment of third-party security capabilities.
If the answer to these questions is no, then security checks may not be needed. If the answer to either or both is yes, then the next step is to determine necessary mitigations. On the other hand, a third party that is storing confidential business data but not customer data and which does not have access to systems may be in a “medium” category and would require a passive perimeter scan, perhaps using a security ratings service.For instance, procurement can include assessment requirements in engagement requests to vet higher-risk third parties before their functional capabilities are evaluated.
For example, if the identified risk is that the third party does not encrypt sensitive data, potentially exposing sensitive customer records, the action could be for the business to encrypt data through bring your own key – or, it could be to terminate proceedings with the third party.Implement a plan for monitoring and reporting