Search Results

Welcome to the Third Party Risk Association’s signature video series, "Third Party Risk Management (TPRM) 101." This series is informed by our Third Party Risk Management (TPRM) 101 Guidebook , a comprehensive guide for establishing a TPRM program, which is available for free download to all TPRM professionals. This series is meant to be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. Each video will walk through one of the six phases of the TPRM Program Lifecycle, which together create a strong TPRM program. But before jumping right into the Lifecycle, it is important we first understand the foundations of third party risk management, including basic definitions, risk types, calculating and evaluating risk, and finally, the basics of addressing risk exposure created by your third parties. "TPRM 101: What is Third Party Risk Management" is Part 1 of this series.

During COVID lockdown, the only option many offshore business processing offices (BPO), as well as every other business, were faced with was to send employees home to work remotely. Whether it was because their facilities could not implement the necessary requirements for a safe working environment, or the local government required them to disperse the workforce, it happened. There was a scramble by many organizations to quickly adapt so that work could continue during pandemic restrictions with minimal interruptions for not only their own organizations, but also the organizations they support. With COVID restrictions now lifted in most countries, the return to the office for Offshore Delivery Centers (ODCs) now has begun in many cases. However, these BPOs face the same challenges their customers face in attracting and retaining talent post-COVID as many workers would prefer to work either hybrid (some days in office, some at home) or fully remote. If organizations want the best talent and service from the BPO vendors, allowing their vendors to operate in a hybrid or remote setting is going to be the requirement. Many customers are concerned with the risk of data leakage in these hybrid/remote options; therefore, are requesting solutions and options to allow this to take place while also mitigating the risk to both organizations. Risk-based approach Why is offshore work considered more risky than onshore work? Many offshore resources have access to sensitive data, and yet, the resources are not direct employees of the customer. The distance makes the risk higher due to the inability to continuously validate that work is happening securely and safely on a daily basis. However, not all data risk is the same; therefore allowing organizations to take a more risk-based approach. The first step in taking a more risk-based approach is educating internal business partners on the risks with certain data sets being sent to or accessed by offshore resources. You can then discuss with business partners what controls need to be in place with each data set to lower the risk as it relates to said data accessed. For example, development work that only interacts with lower environments, such as Development or Test, and has no sensitive data, could be done remotely and offshore (not in an ODC) as it requires less control. On the opposite end of the risk spectrum, access to credit card data or personal health information (PHI) would require additional controls and monitoring to be in place or should never be sent outside an ODC. Enterprise Security for BPO Many customers of BPOs focus only on the security of the service the vendor provides. However, given the interconnectivity they may have with the BPO, they should also review their enterprise and information security controls as well. Starting with connections; dedicated connections between your organization and offshore BPOs require network devices, which presents a weak link. Network device manufacturers often release security patches and maintenance releases. Request from the BPO how often they update their network devices. The question you can ask is noted below. What is their policy for critical security patches and notification to you, as their customer, when these updates and maintenance patches are to be installed? Downtime for these devices must be regularly planned and–when a critical release is required­–installed at the earliest possible moment. You can also ask: What is the BPO's Intrusion Detection/Prevention System and is it adequate? Does the BPO use a security information and event management (SIEM) tool and does it collect information from all critical systems within the network? Does the BPO have a Data Loss Prevention system or tool in place that would detect when an employee or intruder begins to exfiltrate data, or does it only detect a threat actor after they’ve taken gigabytes? Does the BPO perform cybersecurity awareness training, to include an insider threat module? Service-Level Security for Customers of BPOs Once you’ve established the BPO either has adequate enterprise-level controls in place, or is remediating toward your security baseline, ask: how are they securing the service they provide to you as the customer? If the data is remotely accessed via a Virtual Desktop Interface (VDI) on your own network, how have they disabled activities like copy-and-paste, right-click actions, limiting access to only URLs required to perform their work, and preventing access to personal email and chat? If the data is in a shared cloud environment with the BPO, what controls within the cloud are enabled? Is it in a single-tenant or multi-tenant environment? How are access controls managed? Ensure the vendor revocation of access rights meet your requirements. Look at the connections to ensure it is not allowing deprecated version of transport layer security (TLS). End-Point Security for Hybrid/Remote workers One of the most important controls for remote workers is security controls enabled on the endpoints, like laptops or desktops. The level of controls found on laptops can go from the simple to the complex. At a minimum, it should be an ‘always-on’ VPN; meaning as soon as the laptop is switched on and connects to the employee’s home network, it is creating an encrypted tunnel. As the risk becomes greater for the data and connection, there should be more active controls on the endpoint such as heuristic analysis of keyboard strokes, artificial intelligence software that analyzes laptop camera images, and biometric requirements for logins. All endpoints should also be connected to a data loss prevention (DLP), intrusion detection system (IDS)/intrusion prevention system (IPS), and a corporate SEIM to ensure a holistic approach to security. Network Devices and Remote Work A weak link in this remote work approach is the assumption that all home-based routers are secure. Questions you can ask the BPO include: Are employees required to regularly update their home routers and how is this monitored? Is it a router that your corporate network would trust on its own network? If there are thousands of offshore employees working from home, then that is thousands of potential attack points that may be vulnerable. The best option is to require the BPO to issue company-supplied, configured, and controlled routers. As long as the program to issue and control these devices is well-designed and run, then much of the above risks listed are reduced. BPOs can also ramp up that security by only allowing employees to connect to the BPO network with approved devices, to ensure the risk isn't elevated when said employees work from or connect into the WIFI of a local coffee shop or other less secure location. The middle ground would be to have a list of company ‘approved’ devices to ensure they meet minimum standards to lower the risk. The employee can register their device with the company (using serial number, access controls, and other critical information) to allow the BPO to monitor security updates and patches, informing affected employees when their devices are at risk. Zero Trust for BPO A Zero Trust approach can greatly reduce your risk for a breach; however, it will not lower your risk level to zero as nothing can perform that task. This section explains a Zero Trust approach you can take with your BPOs. First would be to investigate how the BPO approaches zero trust. Since only 22% of organizations report being fully at zero trust, it might need to be a risk-based approach, focusing on the highest risk data and connections. Another zero-trust action your organization can take, as the customer, is to implement controls on your own network. Where the BPO connects to your network, have it in a bastion or demilitarized zone (DMZ) that is configured for the level of access that is based on least-privilege . Require biometrics , multi-factor authentication (MFA) , re-logins after every few hours , and a privileged access management (PAM) system to ensure these accounts are better secured. Physical Validation of Security for Remote Work As the ability to travel opens back up, it is important that those who are customers of BPOs begin to perform physical validation of their critical vendors. Previously, a visit to an offshore vendor followed a familiar script: fly to the country of location and meet with the security and operations team to get physical validation of both logical and physical controls. There was a tour of the ODC offices to ensure the expected physical controls were present on the floor: separate spaces, no recording devices (such as phones) allowed in, badges and biometrics for entry, validation of clean room polices, and similar physical checks. With remote work, these checks are not possible at every remote worker’s home. However, that doesn’t mean they can be skipped, nor does it mean they can’t be checked. For example, require the vendor to randomly check, like an audit sampling, some of their employee’s home offices . Physical validation can also include having the BPO connect to a set sampling of remote worker’s cameras and validate specific, physical controls . If your BPO already does this, then ask: Have monitoring controls caught any examples of potentially risky behavior? Ask them to show how they dealt with risky employee behavior to ensure it aligns with their policy and your expectations as their customer. Conclusion COVID changed a lot of things in the business world. It is doubtful the ‘work remote’ genie can be put back into the bottle. The best talent will want the flexibility to work remote or hybrid, which will, in turn, provide them with the ability to deliver better service. It will also allow BPOs to hire and retain talented employees. Regardless of your personal views on remote offshore work, there are ways to allow your BPOs to deliver service remotely while keeping the risk to your data and your network lowered to the risk appetite that aligns with your organization.

A question many Third Party Risk Management and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? This video provides insight into how to integrate TPRM into the rest of the business , including common goals & challenges, tips for improving process integration with business stakeholders, key aspects of governance needed to make integration work, and provides a TPRM lifecycle-based framework to enable better integration. This video was made possible by Tom Rogers, CEO & Founder of VendorCentric , for his presentation at TPRA’s July 2022 Practitioner Member Meeting. TPRM Explained is an educational series that focuses on topics related to third party risk management. Topics come directly from our end-of-year survey on the pain points our practitioners are experiencing within their own programs. Remember to like and subscribe!

Third Party Risk Management (TPRM) oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This allows the program to address third party risk at the highest level, while also ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements.​

By Meghan Schrader The level of risk related to your third parties is frequently changing, making recertifying and reassessing of key importance. Recertification relates to reviewing the third party’s responses to the Inherent Risk Questionnaire (IRQ) as well as noting any changes to their profile, such as changes in legal name, ownership, locations, or the like. Reassessment relates to reassessing your third parties after the initial assessments have been completed and the contract is signed. Organizations are continuously innovating, enhancing, and changing business processes. With this comes changes in third party risk. Practitioners may start to send a third party more data, use more or less of their services, or even change how they are using a third party’s products/services. In parallel, third parties may change ownership, platforms, locations, and/or implement enhanced controls. At the same time, the threat landscape grows in complexity with events such as pandemics and social/political unrest needing to be factored in. In response to all of these changes, innovation, and enhancements, organizations must continually evaluate their third parties to ensure they remain apprised of their risk landscape and work to remediate/mitigate certain risks. But where do organizations start with re-assessing their third parties? Begin with recertifying the Inherent Risk Questionnaire (IRQ). The IRQ should drive your due diligence efforts as it takes into account the level of risk your third party poses before controls are considered. The IRQ can also determine the cycle time for your reviews. Therefore, it is a good idea to determine if responses remain the same or if the IRQ should be updated. At this time, you can also recertify the third party’s profile (or the general information you maintain for the third party) to note any changes in location, ownership, and/or processes. Based on recertification of the IRQ, determine which assessments are in and out of scope. For assessments previously completed that remain in scope, review past responses and risk to determine if a full assessment should be re-sent (if high risk was noted) or if responses from the previous can be sent and new evidence can be obtained (if low risk was noted). Regardless, it is always a good idea to re-test certain controls and obtain new evidence to support those controls. You can also determine from the previous assessment if there are any outstanding items that remain (I.e., are findings still open). Last, determine if new questions should be added to the current assessment based on your organization’s continuous improvement efforts. If a new assessment should be completed, ensure the third party understands why the new assessment is being requested and provide them with ample time to complete the assessment. Once all assessments are completed, determine the residual risk of your third party (or the risk once controls have been evaluated). The residual risk should determine the level of due diligence you will perform within the next year and if any follow-up should be considered. Assessment Types There are many assessments that can be provided to your third party on a continual basis. Assessment types and how often they are completed should be driven off the IRQ. In addition, the level at which they should be completed (light vs. heavy version) should be driven off the residual risk of a third party. Here are just a few assessment types that can be completed within the Continuous Monitoring (Reassessment) phase. Information Security Risk Assessment – May include application, data, and network security, Software Development Lifecycle (SDLC), and Service Organization Controls (SOC) 2, Type II report reviews. Note: TPRA is currently working on an Information Security Questionnaire template in their Focus Group. Find out how you can get involved on our website under Practitioner and Vendor Events. Privacy Impact Assessment – Includes review of data management practices, as well as compliance with privacy regulations. Financial Assessment – Involves evaluating the financial viability of an organization. Disaster Recovery and Business Continuity (DR/BC) – Covers techniques and processes for continuing business performance following a disaster. Physical Access Controls – Determines potential threats to properties, objects, or individuals and the controls to mitigate said risk. Regulatory Assessment – Involves evaluating compliance activities for your third party. Examples include ensuring compliance with Payment Card Industry (PCI), HIPAA, and Gaming regulations. As new regulations are published, it is important to review if a third party is impacted by the regulation and if they have a process in place to comply with said regulation. Negative News Monitoring – Monitoring negative media content by reviewing any existing media concerning a third party can help signal a potential threat—whether reputational or security related—to your organization. Subscribe to certain alerts, such as google alerts, to determine if there are certain impacts to your organization. Passive Monitoring – Risk Rating / Intelligence tools scan the perimeter of third-party networks and look for public facing vulnerabilities. These scans are non-intrusive and can provide you with real-time data on a third party’s vulnerability management program, among other activities. Examples of these tools include, but are not limited to, RiskRecon, BitSight, Security Scorecard, BlackKite Fourth Party Reviews – Reviewing the controls in place for your third party’s material suppliers is also important, especially if they will have access to your data. Offshore Reviews – Involve reviewing the controls in place to mitigate additional risk an offshore location may pose to your organization. You may also want to consider the geo-political environment for that location as well. Last, and in response to the pandemic, you may also want to perform an Operational Resiliency assessment of your third party that not only looks at their Incident Response procedures, but also reviews your own procedures to ensure your third party is incorporated into them. From a Continuous Monitoring standpoint, there may also be times when activities trigger specific assessments not generally performed within your normal due diligence efforts. Certain changes in the relationship and/or way in which the product/service is leveraged may trigger ad hoc reviews. Such trigger examples include, but are not limited to, Change in location of services, Change in risk rating (risk rating/intelligence tool), Change in ownership of the third party, Change in product/service (may now be cloud-based vs. On premise), Change in data sent/stored, Change in contract clauses, and An event or incident occurring. These triggers allow you to determine if your organization should take a second look at the third party and/or if another review needs to be performed. Evidence Collected In addition to the assessments completed, it is best practice to obtain evidence to validate specific controls are in place and operating effectively. Evidence items you may want to obtain include, but are not limited to: Penetration Test Results Independent Attestation – Includes Soc 2, Type II Reports. Policies and Procedures Proof of Key Controls to Evidence Effectiveness Vulnerability Report/Evidence of Patching Continuous Monitoring Report Financials DR/BC Plans and Testing Employee Counts – Includes Key Person Dependency and Any Significant Changes to Staff Levels that have Occurred. Network Diagram – Includes Cloud Architecture and A Data Flow Diagram. Background Checks – Includes Policies and Samples of Actual Background Checks. Employee Access Reviews Training – Includes Broadscale and Specific/Targeted Training. Model Risk – Includes Validation of Models. Negative News Questions to Ask To enhance your relationship with your third party, there are a few questions you will want to ask yourself to ensure you collect certain pieces of evidence at the right time. Those questions include, but are not limited to: For the evidence you are collecting, what is the scope? This ensures you only collect evidence for the product/service the third party is providing to you, and not for other products/services provided to other clients. Are you collecting it at the same time each year? (i.e., do they perform a pen test at the same time each year so that you know when to collect it?) Is the evidence you are collecting noted within the contract to ensure you can collect it? There may be times when a full assessment is not required if specific evidence items can be obtained for testing. There may also be times when you want an independent test performed for key controls to ensure it is thoroughly reviewed (I.e., SOC 2, Type II report). Summary In summary, it is important to continuously evaluate your third party to ensure you remain aware of the risk landscape impacting your organization. Ensure you are recertifying your third party’s profile and IRQ to note any changes within the relationship related to your third party. This should then drive the assessment process and cycle times for which reassessments are completed. Last, it is important to obtain evidence for specific, higher risk controls you evaluate to determine if said controls are in place and operating effectively. It is not best practice to only send your third party a questionnaire. All in all, re-assessing your third party will ensure the impact the third party has on your organization is minimized and strengthen the relationship between you and your third party.

Why is recertifying and reassessing your third parties so important? Because organizations are continuously innovating, enhancing, and changing business processes. With this comes changes in third party risk.  This video explains the importance of regularly reassessing your third parties, as well as provides tips on the reassessment and recertification process.

In this month's Third Party Risk Management (TPRM) Explained video, we discuss " Third Party Engagement " to include third party buy-in , response time , assessment of evidence provided, findings validation, and third party expectations . TPRM Explained is an educational series that focuses on topics specific to TPRM. TPRM Explained is produced and published by Third Party Risk Association (TPRA) in an effort to share knowledge and advance the field of TPRM.

In this month's Third Party Risk Management (TPRM) Explained, we discuss TPRM Program Maturity vs. Associated Value by working through how to Start, Enhance, and Automate TPRM programs using the TPRM lifecycle.

TPRA has created a series of videos explaining a variety of specific TPRM topics. Our first video of the series is " Onsite Visits ." This video will walk you through the pre-planning, during visit, and post-planning phases of an on-site visit.