Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
As third-party cyberattacks continue to rise, so too does the risk of exposure or loss resulting from compromises to systems, networks and data. Third-party risk management should be a priority, however, most organizations are only doing the basics and
must develop efficient and scalable processes for managing third-party risks.
As your business onboards new vendors to drive operational efficiencies, take steps to keep your organization secure in all functional areas with a solid third-party risk management framework.
This piece provides guidance and a process to build a comprehensive third-party risk management framework to protect your organization from vulnerabilities and threats third parties may present.
A third-party risk management framework is a set of guidelines for an organizational process to classify, remove and minimize risks from vendors, partners, contractors and suppliers. The framework helps identify third-party risk and threat opportunities,
and allows organizations to effectively allocate and use resources for risk mitigation.
The original risk management framework template was developed by NIST to help protect U.S. government information systems from threats and vulnerabilities. The newer NIST Cybersecurity
Framework consists of standards, guidelines and best practices specifically tailored to manage your cybersecurity risk.
In addition to the NIST frameworks, ISO also has a third-party risk management framework that can be helpful for the third-party risk management assessment process. These frameworks are standards that help
organizations identify threats, assess specific vulnerabilities to determine the risk involved, seek out ways to mitigate the risk and adopt risk reduction efforts according to organizational strategy.
When building a third-party risk management framework, best practice is to divide the process into two initial stages:
Preliminary setup of the framework requires:
Ongoing monitoring and updates to the framework include:
While the NIST third-party management framework is seen by many as an industry best practice, many of the organizations that adopt the framework find comprehensive adoption and implementation is a larger investment of both time and expense than originally
anticipated. Adequate resource allocation and buy-in from both risk owners and stakeholders is critical to a successful third-party risk management framework and ongoing program.
It is important to expand the framework scope beyond your information security group to include the entire organization to provide protection from the following risk types:
READ: Risk Management Terminology for InfoSec Teams
Another challenge for organizations is failure to have visibility into vendor and supplier practices that add to third-party risk, including:
Once you have an initial process set, build your organization’s third-party risk management program with these risk management framework steps, beginning with your information security-related areas:
READ: How to Create an Enterprise Risk Appetite Statement
A robust third-party risk management framework helps you and your organization stay vigilant to all risk beyond cybersecurity, and is imperative to building a world-class third-party risk management program.
Keep the following in mind when launching a third-party risk management framework:
With a newly sophisticated threat-laden environment, building a solid third-party risk management framework will help your organization identify and minimize risk while still being able to confidently depend on your third parties.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 19, 2023
By IANS Faculty
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.
September 12, 2023
Understand the main differences between first- and second-gen SAST tools and learn how to determine which will work best for your environment.