Establishing a third-party vendor risk management program can be a challenging undertaking. There are so many things to consider, not the least of which is what technology to use, staff augmentation strategies you might employ, and upon which frameworks you should base the program.
Jack Freund, PhD, co-author with Jack Jones of the FAIR book and Risk Science Director for RiskLens, recently completed a whitepaper for ISACA that discusses the structural elements necessary to make an entire vendor risk program operational.
Read the ISACA white paper: Managing Third Party Risk: Cyberrisk Practices for Better Enterprise Risk Management
“The first critical component of conducting a risk analysis is to become clear about what is at risk and what the results of the third-party assessment is actually telling the enterprise about its risk posture,” Jack writes.
Key points Jack covers in the vendor-risk white paper:
- Governance structures necessary for a successful vendor risk management program. This includes organizational roles in managing contracting, payment, and internal ownership. Also covered is the need for metadata collection to feed proper vendor risk triage
- How to structure your vendor assessments into three buckets: no assessment, administrative assessment, and onsite assessment
- A list of triage questions to get you started
- Artifacts to request from vendors to evaluate their control posture
- How to construct vendor risk scenarios for analysis
- How to integrate cyber risk quantification into the vendor risk management program to risk rate vendors and provide a measure of economic risk to the board of directors
“An advanced approach to third-party risk ratings is to understand the economic impact of a third-party data compromise or service failure to the enterprise business objectives,” Jack writes.
“Fundamentally, this connects the cybersecurity consequences to the business. Understanding the economic impact can also allow enterprises to set aside money to offset potential risk or purchase insurance to help offset financial losses associated with cyber incidents.”
Read more from Jack Freund:
How the Public Sector Can Assess Cyber Risk in Financial Terms — Jack Freund in ISACA Blog
The ‘Risk Therapist’ on Your Team: When It’s Time for an Intervention
Organizational Signals for Changing Risk Appetite
Measuring and Managing Information Risk: A FAIR Approach -- the FAIR book -- provides a practical and credible model for understanding, measuring and analyzing information risk of any size and complexity. It's an essential tool for information risk officers of the digital age who want to help their organizations make smarter and more effective business decisions.