Third party security assessments are a crucial part of any information security risk management program. Conducting ongoing security assessments of your vendors will give you clarity on the risks you may be inheriting from them. The first step in any vendor security assessment program is to identify your key partners. Identifying key vendors for your vendor management program can be full of uncertainty and time consuming. How should you begin?
Vendor Identification
The third parties you should focus on are entities that store or have access to your company’s data. You would also want to consider third parties that have access to your network or IT infrastructure. Here are some processes and techniques to help you get started in identifying your third parties.
Data Inventory
One of the first places to start is to create a data inventory. Creating a data inventory will identify the systems, applications, and processes that involve certain types of data. Start with a type of sensitive data such as personally identifiable information (PII), HIPAA data, or a specific data element such as phone numbers. Here’s a helpful whitepaper that explains the fundamentals of creating a data inventory: “Creating a Data Inventory: The First Step In Managing Privacy and Data Security Risk” by David Manek, Bruce A. Radke, and Michael J. Waters.
Data Flow Diagrams
Take your data inventory to the next level by creating a data flow diagram. This diagram should be based on a business process or data type. A data flow diagram can help you identify the following:
- The types of data third parties have access to
- When a third party is involved in the process
- The method third parties use to access your data
- Vendors that are involved in critical business processes
- Which third parties process your data
Contracting and Procurement Records
Reviewing your current contracts and agreements could help you identify the following:
- Which vendors do you have active contracts or agreements with?
- What type of services do they provide?
- What level of access to data do their employees have?
Interview Subject Matter Experts (SMEs)
You likely have employees that are experts in certain IT systems or business processes. A short interview with these employees may help you understand a vendor’s role in the process. The SME may also be able to assist you with data mapping and inventory.
Access Reviews
Conducting an Access Review of system accounts is one of the quickest ways to find external entities that already have access to your data. Most systems are able to generate reports that will tell you the level of access and privileges that certain users have. This method should be used with some of the other identification methods since it will not identify vendors that have external access to your data.
Vendor Categories
So, now you have a list of all your third parties, the next step is to conduct a risk assessment. Conducting a risk assessment will help you determine which vendors pose a higher-level risk to your business and customers. These are the vendors that you will want to assess first and on an annual basis.
Consider the vendors that meet at least one of the following criteria:
- Perform critical business or IT functions
- Process or access sensitive data
- Process or access your customer’s data
- Could impact your earnings or reputation
- Could cause significant disruption to your business
Types of IT service providers that can pose a higher security risk may include:
- Software as a Service (SaaS) providers
- Infrastructure as a Service (IaaS) providers
- Platform as a Service (PaaS) provider
- Disaster Recovery and Data Center Colocation service providers
- Professional Services or Consultants
- Outsourced software development services
- Data Processors
Hopefully these methods of identifying third parties will help you establish an effective vendor risk management program. Conducting regular assessments on higher risk third parties will help you identify and manage the potential risks they pose to your organization.
Learn more about our third party security assessments here.
