Third Party provider

As a grown issue, third party management is finally becoming priority in companies. In 2019, 44% of companies experienced significant data breach by a third party vendor*?

Most regulations do not consider risks coming from vendors. NIST (NIST 800-53, NIST 800-161 and NIST CSF) has third party management as one of its domain families for over a decade. Brazil is outstanding in his BACEN4893 regulation which takes third party management to another level. Requiring basic and intermediate controls to be in place from the vendor as well as an ISMS management. It goes as deep as to require independent audits from partners.?

Mexico also included such requirement in their IFPE regulation:(?https://www.dof.gob.mx/nota_detalle.php?codigo=5610487&fecha=28/01/2021#gsc.tab=0).??Which is aimed at Fintechs.?

Since before the kick-off of GDPR, third party was already a topic to lose your hair over, back in 2017**, I myself know my share of people who were compromised over a third party provider and the worse thing is, as years pass by, we lose track of how much data they actually access.?

Make sure you:?

• Evaluate your provider (Risk assessment)?
• Map the connections of your third party provider?
• Map accesses and apps?
• Understand their scenarios?
• Have a good relationship with their CISO?
• Include "third party compromise" in the incident and response management process?
• ...and Data mapping, data mapping, data mapping.??

?Source:??

*https://panorays.com/blog/third-party-cyber-risk-6-facts-every-ciso-should-know/?

**https://aravo.com/blog/the-eu-gdpr-third-party-risk/?