By Meghan Schrader
The level of risk related to your third parties is frequently changing, making recertifying and reassessing of key importance.
Recertification relates to reviewing the third party’s responses to the Inherent Risk Questionnaire (IRQ) as well as noting any changes to their profile, such as changes in legal name, ownership, locations, or the like.
Reassessment relates to reassessing your third parties after the initial assessments have been completed and the contract is signed.
Organizations are continuously innovating, enhancing, and changing business processes. With this comes changes in third party risk. Practitioners may start to send a third party more data, use more or less of their services, or even change how they are using a third party’s products/services. In parallel, third parties may change ownership, platforms, locations, and/or implement enhanced controls.
At the same time, the threat landscape grows in complexity with events such as pandemics and social/political unrest needing to be factored in.
In response to all of these changes, innovation, and enhancements, organizations must continually evaluate their third parties to ensure they remain apprised of their risk landscape and work to remediate/mitigate certain risks.
But where do organizations start with re-assessing their third parties?
Begin with recertifying the Inherent Risk Questionnaire (IRQ).
The IRQ should drive your due diligence efforts as it takes into account the level of risk your third party poses before controls are considered. The IRQ can also determine the cycle time for your reviews. Therefore, it is a good idea to determine if responses remain the same or if the IRQ should be updated.
At this time, you can also recertify the third party’s profile (or the general information you maintain for the third party) to note any changes in location, ownership, and/or processes.
Based on recertification of the IRQ, determine which assessments are in and out of scope.
For assessments previously completed that remain in scope, review past responses and risk to determine if a full assessment should be re-sent (if high risk was noted) or if responses from the previous can be sent and new evidence can be obtained (if low risk was noted).
Regardless, it is always a good idea to re-test certain controls and obtain new evidence to support those controls.
You can also determine from the previous assessment if there are any outstanding items that remain (I.e., are findings still open).
Last, determine if new questions should be added to the current assessment based on your organization’s continuous improvement efforts.
If a new assessment should be completed, ensure the third party understands why the new assessment is being requested and provide them with ample time to complete the assessment. Once all assessments are completed, determine the residual risk of your third party (or the risk once controls have been evaluated). The residual risk should determine the level of due diligence you will perform within the next year and if any follow-up should be considered.
There are many assessments that can be provided to your third party on a continual basis. Assessment types and how often they are completed should be driven off the IRQ. In addition, the level at which they should be completed (light vs. heavy version) should be driven off the residual risk of a third party. Here are just a few assessment types that can be completed within the Continuous Monitoring (Reassessment) phase.
Information Security Risk Assessment – May include application, data, and network security, Software Development Lifecycle (SDLC), and Service Organization Controls (SOC) 2, Type II report reviews.
Note: TPRA is currently working on an Information Security Questionnaire template in their Focus Group. Find out how you can get involved on our website under Practitioner and Vendor Events.
Privacy Impact Assessment – Includes review of data management practices, as well as compliance with privacy regulations.
Financial Assessment – Involves evaluating the financial viability of an organization.
Disaster Recovery and Business Continuity (DR/BC) – Covers techniques and processes for continuing business performance following a disaster.
Physical Access Controls – Determines potential threats to properties, objects, or individuals and the controls to mitigate said risk.
Regulatory Assessment – Involves evaluating compliance activities for your third party. Examples include ensuring compliance with Payment Card Industry (PCI), HIPAA, and Gaming regulations. As new regulations are published, it is important to review if a third party is impacted by the regulation and if they have a process in place to comply with said regulation.
Negative News Monitoring – Monitoring negative media content by reviewing any existing media concerning a third party can help signal a potential threat—whether reputational or security related—to your organization. Subscribe to certain alerts, such as google alerts, to determine if there are certain impacts to your organization.
Passive Monitoring – Risk Rating / Intelligence tools scan the perimeter of third-party networks and look for public facing vulnerabilities. These scans are non-intrusive and can provide you with real-time data on a third party’s vulnerability management program, among other activities. Examples of these tools include, but are not limited to, RiskRecon, BitSight, Security Scorecard, BlackKite
Fourth Party Reviews – Reviewing the controls in place for your third party’s material suppliers is also important, especially if they will have access to your data.
Offshore Reviews – Involve reviewing the controls in place to mitigate additional risk an offshore location may pose to your organization. You may also want to consider the geo-political environment for that location as well.
Last, and in response to the pandemic, you may also want to perform an Operational Resiliency assessment of your third party that not only looks at their Incident Response procedures, but also reviews your own procedures to ensure your third party is incorporated into them.
From a Continuous Monitoring standpoint, there may also be times when activities trigger specific assessments not generally performed within your normal due diligence efforts. Certain changes in the relationship and/or way in which the product/service is leveraged may trigger ad hoc reviews.
Such trigger examples include, but are not limited to,
Change in location of services,
Change in risk rating (risk rating/intelligence tool),
Change in ownership of the third party,
Change in product/service (may now be cloud-based vs. On premise),
Change in data sent/stored,
Change in contract clauses, and
An event or incident occurring.
These triggers allow you to determine if your organization should take a second look at the third party and/or if another review needs to be performed.
In addition to the assessments completed, it is best practice to obtain evidence to validate specific controls are in place and operating effectively.
Evidence items you may want to obtain include, but are not limited to:
Penetration Test Results
Independent Attestation – Includes Soc 2, Type II Reports.
Policies and Procedures
Proof of Key Controls to Evidence Effectiveness
Vulnerability Report/Evidence of Patching
Continuous Monitoring Report
DR/BC Plans and Testing
Employee Counts – Includes Key Person Dependency and Any Significant Changes to Staff Levels that have Occurred.
Network Diagram – Includes Cloud Architecture and A Data Flow Diagram.
Background Checks – Includes Policies and Samples of Actual Background Checks.
Employee Access Reviews
Training – Includes Broadscale and Specific/Targeted Training.
Model Risk – Includes Validation of Models.
Questions to Ask
To enhance your relationship with your third party, there are a few questions you will want to ask yourself to ensure you collect certain pieces of evidence at the right time. Those questions include, but are not limited to:
For the evidence you are collecting, what is the scope? This ensures you only collect evidence for the product/service the third party is providing to you, and not for other products/services provided to other clients.
Are you collecting it at the same time each year? (i.e., do they perform a pen test at the same time each year so that you know when to collect it?)
Is the evidence you are collecting noted within the contract to ensure you can collect it?
There may be times when a full assessment is not required if specific evidence items can be obtained for testing. There may also be times when you want an independent test performed for key controls to ensure it is thoroughly reviewed (I.e., SOC 2, Type II report).
In summary, it is important to continuously evaluate your third party to ensure you remain aware of the risk landscape impacting your organization. Ensure you are recertifying your third party’s profile and IRQ to note any changes within the relationship related to your third party. This should then drive the assessment process and cycle times for which reassessments are completed.
Last, it is important to obtain evidence for specific, higher risk controls you evaluate to determine if said controls are in place and operating effectively. It is not best practice to only send your third party a questionnaire.
All in all, re-assessing your third party will ensure the impact the third party has on your organization is minimized and strengthen the relationship between you and your third party.