Managing IT Risk (Part 1)

Third Party Risk Management

Topping my list of information security risks for the coming year is third party risk management. Small to medium size companies do not have the workforce necessary to monitor the security posture of their technology service providers. To properly address the issue, a company will need to put the following in place and dedicate resources to ensure that the tasks are performed:

  • Establish a due diligence process to evaluate the security posture of proposed technology service providers, which can be evidenced (e.g., results from a security questionnaire, results from an onsite security audit)
  • Establish security requirements for the technology service providers, based on the services being provided, rather than making high level requirements like “the provider must be HIPAA compliant” or worse, “the provider must be compliant with all applicable laws and regulations”
  • Ensure that security requirements get included in contracts and ensure that security participates in the contract negotiation process
  • Establish a methodology to risk rank technology service providers (based on the services being provided) to establish a frequency to periodically re-validate the provider’s security posture
  • Establish a process to periodically (based on risk rank) review technology service providers to re-validate that they continue to provided their services in a secure manner
  • Establish a process to highlight, remediate, and track to completion any issues identified at the technology service providers
  • Establish a process to reclaim data at technology service providers if the contract needs to be terminated because of security reasons

End-to-end incident response would come in a close second, as most small to medium size company IT departments can identify and investigate incidents, but they generally don’t have well-defined processes for reporting the incidents/breaches to impacted individuals or the media.