In part one of this short blog series we introduced the value the continuous monitoring can bring to a third-party risk management program and how you can start to introduce it into your practice. In this piece we'll discuss how you can leverage this type of approach to better understand and act on third-party risk.
Step 5. EMBED POLICES IN CONTRACT LANGUAGE AND RFPS
Not only should your organization set expectations informally through training and evangelism, but it should also formalize policies through contract language. Contracts and RFPs should be developed to set enforcement policies and procedures that layout remediation actions and timeframes. As with any contract, there will obviously be a collaboration with vendors to customize based on the relationship, but at a high level, you should be inserting prevailing policies into standard contracts.
Step 6. USE AUTOMATION AND TOOLS TO OPERATIONALIZE RISK DATA
The additional visibility afforded by continuous monitoring of third-party cyber risk can potentially add a heavy burden on those in charge of engaging vendors to toe the line.
This is why automation and tooling on the remediation end of the process should be a crucial component to include within a continuous monitoring platform.
Consider the following back-and-forth process that continuous monitoring findings could potentially elicit:
- Monitoring finds a list of problems at a vendor
- You need to prioritize risk and identify remediation actions
- You must inform the vendor to make certain fixes based on risk levels
- The vendor thinks they fixed the relevant issues and informs you of their response
- Monitoring finds only part of the issues were remediated
- You must go back to the vendor to let them know that further action is warranted
- The vendor makes further fixes but also finds a false positive
- You’ve got to verify their additional fixes
- You also must verify their false positive
- You close this round of validation
That is a lot of work for a team to handle if human intervention is required at each of these steps. Ideally, your organization should seek an automated tool that can remove manual work from each stage in this operational process. Not only will that put internal operations on rails, but it will also make remediation less onerous for vendors as well.
Step 7. SHIFT INTERNAL RESOURCES TO SUPPORT VENDORS
Even with the best remediation automation, continuous monitoring will still require additional support from your third-party cyber risk management teams. There simply will need to be people available to evaluate what’s going on with vendors. It’s important to be realistic about the requirements here. If your current resources are limited, you either need to work with the powers that be to build a bigger team or repurpose people from elsewhere.
One way to do this is to start looking at staff dedicated to running questionnaire programs and rethinking how they work. With continuous monitoring in place, it may be possible to cut back on how often questionnaires are run and use people who validate those to instead run the continuous monitoring function. This way engagement roles spend more targeted time on the vendors you’ve got demonstrable problems with.
Step 8. INTEGRATE THIRD-PARTY CONTINUOUS MONITORING INTO CYBER INCIDENT RESPONSE
As your organization gets further along into the use of continuous monitoring of third-party vendors, consider integrating this risk data into your internal organization’s cyber incident response process. This makes it easier for your security analysts to pick up on big changes in third-party environments that occur between regular assessments that could warrant emergency remediation. It also smooths the way for the organization to respond to “celebrity vulnerabilities” tracked by the SOC that would be worth immediate follow-up with third-party vendors to ensure their systems aren’t exposed to these newly found threats.
Step 9. MAKE INCREMENTAL IMPROVEMENTS ALONG THE WAY
As your organization starts to accumulate historical data on all of its vendors it can start using that store of monitoring information to make continuous improvements on how it manages third-party cyber risk. Using historical risk and objective data it can be possible to expand visibility into unmanaged vendors and fourth parties. A broader base of experience can also help your team streamline assessment processes, extend coverage, and quickly pinpoint where they need to focus their efforts to get the most risk reduction from their efforts. The point is that monitoring can feed a data-driven approach to third-party risk that drives incremental improvement over time.
Step 10. FEED CYBER DATA INTO BROADER VENDOR RISK MANAGEMENT PROGRAM REPORTING
Throughout the process of incorporating continuous monitoring into your third-party cyber risk management program, it’s crucial to remember that the results from this monitoring should also be feed into broader vendor risk management program. Cyber risk should be reported alongside other types of risk, like financial and operational risk. These third-party cyber metrics will obviously be reported up through the executive chain by the CSO when explaining the company’s complete cyber risk posture. But it should also be included in regular documentation of broad business risk categories.
If you would like to learn more about RiskRecon's continuous monitoring capabilities, we would be more than happy to provide you with a customized product demonstration.
