Managing Third-Party Risks

It is crucial for maintaining the integrity of the cybersecurity chain. This topic requires a detailed understanding of the potential vulnerabilities introduced by third-party vendors and the strategies necessary to mitigate those risks effectively. Below is an outline for an article titled "Managing Third-Party Risks in the Cybersecurity Chain," designed to provide a comprehensive guide for organizations on safeguarding their data and systems against third-party vulnerabilities.

In our digital ecosystem, managing third-party risks has become a critical facet of cybersecurity strategy for organizations of all sizes, from nimble small and medium-sized businesses (SMBs) to sprawling multinational corporations. Often referred to as supply chain, the increasing reliance on external vendors, service providers, and contractors has expanded the attack surface dramatically, exposing all types of businesses to heightened risks. SMBs, often limited by resources, might find themselves particularly vulnerable due to less stringent security practices among their third-party partners. On the other hand, large companies, despite better-equipped cybersecurity infrastructures, face complexities due to the sheer volume and diversity of their third-party interactions.

Some quick assumptions and out of scope items. This article will assume that you already have a strong security governance which aligns with the overall goals and objectives of the business. Additionally, security policies and associated Standards, Procedures, Baselines, and Guidelines are in place as well. And lastly, you have conducted your Risk Management Process both within security and at the enterprise level if you are a large corporations.

Understanding and mitigating these risks is not just about protecting data; it's about safeguarding business continuity and maintaining trust in an era where a single breach can lead to catastrophic outcomes. This article delves into the strategies both SMBs and large corporations can employ to fortify their defenses, creating a robust framework to manage the cybersecurity risks introduced by third-party engagements. By aligning third-party risk management with overall cybersecurity policies, businesses can achieve not only compliance and security but also a competitive edge in today’s risk-laden digital landscape.

Understanding Third-Party Risk

What are third parties? Essentially, they are any companies you hire to perform services for your organization because you lack the resources or budget to handle these tasks in-house. These third parties include vendors, suppliers, contractors, and service providers. The first step is to determine how many third-party entities your business currently relies on. This task may be straightforward for small and medium-sized businesses (SMBs), but it becomes significantly more complex for large corporations with numerous third-party relationships.

• An important aspect to consider, though not the focus of this article, is the Software Bill of Materials (SBOM). SBOMs involve documenting all components of internal software projects and tracking the origin of all code. While SBOMs are critical, they require extensive discussion and could be the subject of multiple articles.

Understanding your third-party vendors should be an integral part of your risk management process. This involves regularly assessing the risk each third party poses to your organization, ensuring they comply with your security standards, and maintaining transparency in their operations.

Contractual Agreements

Very similar to performing your Risk Management Process you also must do the same third-party risk management. Therefore, the first step is identifying ALL third-party entities and classify them based on services they provide your business and what would happen if they are not available? For example, if a third-party handles payroll and they go down then they will be a high value third party entity. Furthermore, you need to evaluate their compliance standards, security policies, and past security performances.

Conduct Thorough complete Service Level Requirements (SLR) and Service Level Agreements (SLA) and make sure your security leaders are involved during this part of the negotiations. SLR outlines three key elements:

• Detailed Services That will be Performed
• Detailed Service Level Targets to include security
• Mutual Responsibilities.

?A key element to understand, for example if you are partnering with a Cloud Service Provider then you can delegate responsibility in having all the specific security controls required by compliance or legal in place but the accountability of protecting internal data and processes can never be delegated. The data (Asset/Processes/System) is always accountable.

Once a third-party is selected to perform X,Y, or Z function within the organization then you use the SLR to create the SLA which is an addendum to the SLR therefore enforceable. SLAs include:

• Service Scope: Clearly defined services that the third party will provide.
• Performance Metrics: Specific performance targets, including uptime, response times, and security measures.
• Monitoring and Reporting: Regular monitoring and reporting protocols to ensure compliance with the agreed standards.
• Remediation and Penalties: Consequences for failing to meet the agreed service levels, such as penalties or remediation actions.
• Ensure you have an effective incident response plan that includes scenarios involving third parties.

The last part of SLR and SLAs in a reporting mechanism and cadence. You need to include regular updates either in person or virtual from your third party. These will be key to make sure your third party is meeting the requirements of the SLR and reviews if any updates of the SLA are required based on changing requirements and risks.

Risk Management Framework

You can leverage numerous Risk Management Frameworks to understand the key elements of Third-Party Risk Management. Here, I’ll discuss the NIST 800-37 Risk Management Framework (RMF), the de facto standard for Risk Management.

Key Elements of the RMF at a High Level

Prepare

Establish a risk management strategy and a solid foundation for the risk management process. Identify and engage key stakeholders and define the scope of the risk management efforts.

Classify

Identify all your assets (data, systems, processes) along with their associated owners to properly classify them. Go through your risk management process, evaluating assets through the lens of the CIA Triad (Confidentiality, Integrity, Availability).

Select

Choose appropriate security controls based on the value of the assets and their overall impact on the business. For example, sensitive customer data might require advanced encryption and strict access controls.

Implement

Deploy the selected security controls and document all actions taken. For instance, if multi-factor authentication is chosen as a control, ensure it is implemented across all relevant systems and document the process.

Assess

Evaluate whether the selected and deployed security controls are functioning as expected. If they are not, take corrective actions and document the fixes. Regular assessments might include penetration testing and security audits.

Authorize

Obtain senior management approval to proceed, considering potential and residual risks. This approval and the overall project status are documented via Plans of Action and Milestones (POA&Ms).

Monitor & Review

Continuously monitor the security controls and the overall risk environment. Regularly review and update the risk management processes to adapt to new threats and changes in the business environment. For instance, periodic security reviews and audits ensure ongoing compliance and risk mitigation.

By following the National Institute of Standards and Technology (NIST) 800-37 RMF, you can systematically manage third-party risks and enhance your organization's security posture.

Call to Action for SMB

SMBs can leverage a good portion of the above material to minimize their risk when it comes to Third-Party, but the key is train and educate your employees on the cybersecurity threats and potential impact. Yes, there is a lot of noise out there, but you need to first start local government programs and local cybersecurity vendors to help you navigate the cyber threat landscape waters. Why these first? It’s simple, lower costs. Below are additional items to consider.

• Awareness Training: Provide regular training for employees on third-party risk management policies and procedures. Ensure they understand the importance of vendor risk and how to identify potential issues.
• Will third party handle sensitive data for you? What is their security posture? Remember, at the end of the day you are still accountable for your customer’s data.

Conclusion

To minimize risk associate with Third-Party we need to apply Risk Management processes to the entire supply chain. Its sounds simple but extremely complex especially if security is not engaged at the beginning of the procurement process. Cybersecurity if positioned correctly, is aligned to meet the goals of objectives of the business. We need more business focused cybersecurity thought leaders to breakdown real or perceived silos between security and business teams.

#Cybersecurity #ThirdPartyRisk #RiskManagement #NIST80037 #DigitalEcosystem #BusinessContinuity #CyberThreats #CTIRevolution #CybersecurityStrategy

?

?