Our typical starting point is a Capability Assessment. This is an efficient way of ‘running the rule’ over all the key elements of your third-party security to inform a view of control effectiveness.
One of our senior security consultants will conduct the assessment with you, using a discussion-based format to cover all the capabilites that are relevant to your organisation across our three focus areas:
• Policy & Standards
• Operating Model
• Monitoring & Reporting
• Continuous Mgmt
Responding to threats is not a singular activity. Your organisation requires a number of capabilities, operating effectively, to ensure you act in a risk-based and proportionate way.
Third parties come in all shapes and sizes. Just like other cyber controls, it’s important you know who your suppliers are and what they do for you. This includes where they interact with your services and also where, and how, they have access to your data.
Clearly written contracts, including a right to audit, will help third parties understand and comply with your organisation's requirements.
For many organisations, identifying and tracking a ‘complete’ inventory of third parties represents a significant but vital challenge, in order to ensure a considered security approach is in place.
It is important to have a well-defined and comprehensive record of the information required to populate a ‘meaningful’ supplier inventory.
Management of third-party security can be spread over multiple areas of an organisation. You must therefore be clear on what you and others are accountable for. Clear understanding of roles and responsibilities, and the right level of governance, means you can be assured that management is effective.
Policy & Standards
Foundational policies and standards set direction and provide a framework for consistent implementation of requirements.
The glue that makes third-party management effective. Volumes are often large, including both the number of suppliers and potential number of assurance risks being tracked. Internal stakeholders are often demanding and suppliers challenging. ‘Socialisation’ is key, coupled with robust and consistent management information.
Monitoring & Reporting
Monitoring ensures metrics and management information can then be reported, which is required to demonstrate the current control compliance and risk status of any third parties. This facilitates appropriate decision-making and scrutiny.