Third Party Risk Management

Following up on my prior post Third Party Risk Management, (4/9/18), I’d like to share my recommendations to monitor and manage IT risk.

There are a number of Governance, Risk, and Compliance (GRC) tools available, ranging from the inexpensive to the extremely expensive. Small to medium size companies are generally not in a position to make good use of those tools. A small to medium size company should investigate and implement logging and monitoring tools, like a centralized Security Information and Event Management (SIEM) tool.

What is an emerging IT risk that is difficult to mitigate and what can you do about it?

Although not emerging per se, there are other security areas that should be addressed or improved. First, small to medium size companies generally do not have a well-defined process to continue operations during a disaster. The comment heard most often is “oh we would have our employees work from home if there was a disaster because we are an Internet-based company.” The issue is that long term loss of the Internet and/or electrical power is generally not planned for in business continuity. If a company has backup data centers outside the region impacted by a loss of Internet or electrical power, some portions of the operations will continue. But a small to medium size company should also define the activities that local staff will perform during the disaster.

How does IT risk management fit into the tech project management process?

Many small to medium size companies still do not get invited to be involved with “all” IT projects. They get invited to some, or at least those that the project team think there may be a security impact. The proper mode of operation would be for security to be invited to participate in all IT projects and for them to determine the level of their security involvement required for the life of the particular security project. For example, if the marketing team wants to host a website, they may go out and contract with a web hosting provider, without getting information security or even the IT department involved.