Request a Demo
Free 3PTY Ratings
Phone

801.758.0560

Email

sales(@)riskrecon(.)com

Contact Us

RiskRecon Blog

    iconemail-box

    Subscribe to our blog

    Security never sleeps. Get the most up-to-date information by subscribing to the RiskRecon blog.
    Managing Third-Party Meltdown & Spectre Risk Exposure Strategic Recommendations Beyond Patching
    March 21, 2018

    The Playbook for Managing Third-Party Security Risk

    Get our All-New Playbook reflecting real life data from executives of 30 companies that offers a window into how organizations are confronting persistent breach risks stemming from third ...
    Managing Third-Party Meltdown & Spectre Risk Exposure Strategic Recommendations Beyond Patching
    March 8, 2018

    Why Third-Party Security Risk Matters

    Big Impact Enterprises entrust the protection of their crown jewels—their customer data, their reputation, their finances, and their business availability—with third parties. ...
    Principles for Fair and Accurate Security Ratings
    January 17, 2018

    Managing Third-Party Meltdown & Spectre Risk Exposure Strategic Recommendations Beyond Patching

    Summary The Meltdown and Spectre vulnerabilities represent an entirely new class of security flaws that are deeply ...
    Extending GRC with Continuous Vendor Security Monitoring
    June 20, 2017

    Principles for Fair and Accurate Security Ratings

    The U.S. Chamber of Commerce just issued “Principles for Fair and ...
    When Apache Struts2 Hits the Fan, Respond with Data and Collaboration
    April 24, 2017

    Extending GRC with Continuous Vendor Security Monitoring

    We speak with many clients that already have some form of governance, risk management, and compliance (GRC) program in place to assist with managing their enterprise ...
    Using Threat Intelligence to Manage Third Party Risk: The Boy Who Cried Wolf
    March 17, 2017

    When Apache Struts2 Hits the Fan, Respond with Data and Collaboration

    Mitigating your third-party exposure to Apache Struts2 requires accurate, actionable data -- and fast. If you can apply automated techniques to rapidly identify which of your ...
    Part 2: Incorporating Continuous Monitoring into Your Third-Party Risk Management Program: The Pilot is Complete – Now What?
    February 15, 2017

    Using Threat Intelligence to Manage Third Party Risk: The Boy Who Cried Wolf

    More and more enterprises are increasing their budgets for threat intelligence in order to stay on top of the latest security risks. The dramatic increase in third party ...
    Like many organizations today, you have existing processes, tools and people laser-focused on analyzing periodic vendor security questionnaires, documentation, and on-site reviews. Moving to a continuous monitoring program can be daunting. Our advice: Don’t focus on where to start…think about where you want to end up. Begin with the end state in mind. Is today the day you say, “I’m ready”? Has the growing inherent risk associated with the number of vendors accessing your sensitive data finally convinced you of the need to do more than annual vendor surveys and assessments? Fantastic. The next question is, “where do I start?” Many clients ask us how to get started. And I always respond by asking them about their desired end states. Meaning, what do they want their deliverables, metrics and processes to look like in the future? And, can they articulate the most significant gaps in their current programs that they want to address and rectify? Before you take that first step, let’s review some things to help you determine your end goals. It’s these end goals that will guide you as you incorporate continuous monitoring into your third-party risk management program. When Thinking About Third Party Cyber Security, Keep Your End Goals in Mind Generally speaking, organizations aim to move from a manual, one-size-fits-all vendor risk process to one that is scalable and risk-adjusted. Today, your vendor survey and risk process doesn’t scale to effectively cover all third parties (and fourth parties) and doesn’t obtain sufficiently frequent and actionable security performance metrics. Ultimately, you want a process that incorporates all vendors and suppliers and allows you to align assessment scope and frequency with your organization’s residual risk tolerance and resources. Determining what a risk-adjusted vendor risk management process means to your organization depends on risk appetite, potential exposure, budget constraints, system constraints, and other resource considerations. Therefore, when getting started, envision a risk-adjusted program that will answer these basic questions: o Who? Which categories of vendors, suppliers, and 4th parties require coverage or more frequent coverage? o What? Do you need separate processes for managed vendors, unmanaged suppliers, 4th parties or vendors during the proposal process? o When? How frequently do you require updated information for each category? o Where? Into which steps in your process is it best to incorporate this new vendor risk data? Where do you want to remove, enhance or streamline steps? o Why? Do your defined metrics capture and assess the reasons behind this change? For example, have you established measurements to capture the number of additional vendors under coverage, increased frequency of coverage, and analyst productivity improvements? Getting Started with Your Online Risk Assessment Jumpstart your program by conducting a 90 to 180-day pilot with a set of vendors already scheduled for their annual assessment during the pilot period. During the pilot, build out your process according to the end goals you established: • Obtain executive support to build an ad hoc team including security, sourcing, and third-party risk personnel. It’s this team that will meet regularly, agree on key objectives and metrics, and help to evangelize the new continuous monitoring program throughout the rest of the organization. • Establish the key pilot objectives and metrics, including impact on risk data quality and analyst productivity, remediation effectiveness, and third-party feedback. • Select a third-party risk management provider that can provide continuous monitoring of all your third parties. • Train your analysts on the new continuous risk scoring data, documenting how to build this data into your vendor engagement model. Shadow your analysts to determine what worked, or didn’t work, during this initial phase and capture that feedback as well as any feedback from the vendors assessed. • Meanwhile, gather an authoritative list of additional vendors not currently under review by your security team. Have your third-party risk management solution begin building portfolio and vendor-level risk assessments to prioritize which vendors to engage in phase 2 of your continuous monitoring project. Be sure to check out our next blog where we will discuss how to go from this pilot phase to your scalable, risk-adjusted program of the future. If you’d like to explore how RiskRecon can help you kick-off your continuous monitoring program, give us a call today (781-784-2054). Topics: 3rd party risk management, CISO, risk control, Scalability, Continuous Monitoring, Vendor Risk Management  
    January 31, 2017

    Part 2: Incorporating Continuous Monitoring into Your Third-Party Risk Management Program: The Pilot is Complete – Now What?

    One of the most common questions we’re asked is how to incorporate continuous monitoring into a third-party risk management program. In
    Previous
    Next

    Locations:

    Murray, UT
    Boston, MA

    E: sales@riskrecon.com

    Contact Us

    Solutions

    Use Cases

    Company

    Resources

    © Copyright 2024. | Privacy Policy | Terms of Use