What is TPRM?
TPRM refers to third-party risk management and is sometimes used interchangeably with vendor risk management. It is the set of practices that organizations employ to address or minimize the impact and likelihood of cyber security events that may result from using outsourced service providers. Service providers can include vendors, suppliers, partners, and contractors, not just one layer removed, but all up and down an organization's supply chain.
Why is Third-Party Risk Management Important?
As cyber threats evolve, maintaining a solid TPRM program is essential. Companies don't want to become the next Solarwinds or Kaseya. Understanding the threat landscape not only allows an organization to implement appropriate mitigating controls but also sheds light on what they should expect from their suppliers and vendors. Knowing risks will help organizations appropriately transfer, mitigate, or accept risks.
What are the Common Types of Third-Party Risks?
Third-party risks generally fall into the following categories:
- Reputational risks are those that impact how an organization is viewed in the press or by customers. No one wants to damage their brand.
- Operational risks are related to an organization's ability to continue operations. If the employees at your distribution go on a vendor strike, what impact would that have on your operations?
- Financial risks are those that impact the bottom line. Reliance on one key vendor or supplier could fall into this category. For example, a delay in the delivery of a key component can lead to production delays and lost revenue.
- Compliance risks are related to non-adherence to industry standards or frameworks. Organizations in highly regulated industries, such as healthcare or financial services consider these risks. If an organization sets a strong set of internal standards and controls, they will want to make sure that their vendors meet the same standards.
- Strategic risks will impact an organization’s mission, goals, or products. If a key vendor does not see eye to eye, this may open an organization to other risks.
There are a handful of challenges that are inherent in any third-party risk management system. The most obvious is that the threat landscape is constantly changing. Managing third-party risks can be labor-intensive and many organizations lack the resources and knowledge to address them. Adding to these challenges are the numerous compliance requirements that organizations may need to follow like SOC 2, HIPAA, or NIST. Many organizations rely on so many vendors or third parties that the evaluation of these entities can become a full-time job.
TPRM Best Practices
There are a handful of items to consider when designing and operating a third-party risk management program. Thoughtful responses to these topics will set organizations up for success.
- Inventory of your data and include how sensitive or confidential it is.
- Maintain a list of third parties and note who has access to data.
- Plan for lack of availability of a third-party provider.
- Have a plan if data were to be leaked or shared outside of the supply chain and have your providers commit to the same standards.
- Consider risk anywhere in the vendor life cycle - from onboarding or procurement, to contract termination and offboarding.
TPRM and ISO 27001
ISO 27001 devotes an entire section to defining, addressing, and managing information security within supplier agreements. The objective of these controls is to identify cybersecurity practices that are in place to prevent an impact on the confidentiality, integrity, and availability of data.
ISO 27001 requires the following:
- The identification and implementation of “processes and procedures to manage the information security risks associated with the use of supplier's products or services”.
- Establishing and agreeing to “relevant information security requirements with each supplier based on the type of supplier relationship”.
- Defining processes and procedures to address information security risks in the supply chain.
- Periodically monitoring and evaluating changes in the supplier’s information security practices.
Learn more about Controls by reading our "What (the bleep) is a Control?" blog post.