Even if your business partners' security policies and processes were thoroughly reviewed at the beginning of your relationship, third-party security risk management requires regular reassessments to ensure the appropriate levels of security, privacy, compliance, and resiliency are being maintained.
How Often to Reassess Security Risk
Experts agree that signing a business agreement is not the end of managing third-party risk-it's the beginning. The third party's security posture and the general state of the business relationship should be reassessed at least once a year, even though many third parties prefer a three-year contract term. Reassessments should also occur after contract changes, whether there is a change in the scope of the agreement or a material change in the IT being used by either party. The third party should also be examined when problems such as a security incident or a material audit deficiency arise.
In recent sessions of the Next-Generation Security Summit, third-party security risk was a particularly hot topic, and security leaders from multiple industries shared their knowledge and experience in this area. According to their insights, the following are four of the top things to look at during a reassessment:
1. Independent Reviews of the Third Party
These include business and financial reviews, as well as technical reviews of physical, administrative, and technical security controls. There are several types of objective and independent reviews, such as the Statement on Standards for Attestation Engagements (SSAE 16, previously known as SAS 70); Service Organization Controls (SOC 1 and SOC 2); ISO 27001:2013, a certification that is specific to security controls; ISO 22301:2012, a certification that is specific to business continuity; and independent penetration testing of networks and applications.
2. Evidence-Based Reviews
In addition to the results and certifications of independent reviewers, be sure to ask for the third party's current disaster recovery (DR) and incident response (IR) plans and procedures and the latest testing results.
3. Review of Existing Controls
These include physical, administrative, and technical security controls; privacy policies related to collection, use, storage, access, correction, and deletion of personal information; operational plans; and contingency plans, including DR and IR. With respect to cloud-based applications that are hosted by a third party, this also includes a review of authentication and authorization; configuration and management; encryption and other methods of data protection; validation of data input; session management; and real-time monitoring and alerting. Be sure to ask for a detailed outline of any changes that have been made to these controls since the time the original audit was conducted.
4. Review of Interaction and Communication Procedures
Despite best efforts by both parties and their desire for a smooth and successful onboarding process, many early-stage activities will inevitably need adjustments as the relationship progresses. A successful partnership requires ongoing review of technologies; "call trees" for handling anomalous situations; handoff and synchronization procedures on who does what and when; and staff authorizations, among other things.
The strategic objectives of your organization are going to evolve and change, and relationships with third parties need to evolve and change along with them. These periodic reassessments of third-party relationships should not be limited to the unrewarded risks of security, privacy, and compliance-they should also be used to ensure third-party relationships are optimally supporting the rewarded risks of innovation, productivity, and growth that the organization is trying to pursue.