Most Popular Posts

Subscribe by Email

Your email:

Browse by Tag

About the Risk Intelligence Blog

The Evantix Blog offers insight, tips and intelligence from leading risk authorities in enterprise vendor risk management and compliance.

Managing Vendor Risk, Performance and Compliance just got a whole lot easier || Evantix Risk & Compliance Portal ™  delivers a low cost high value solution to managing Vendor Exposure, Performance, Regulatory Compliance, Privacy and Information Risk across your entire portfolio of vendors and suppliers.

Risk Intelligence Blog

Current Articles | RSS Feed RSS Feed

Below the Line Benefits from Third-Party Risk Assessment

Posted by Rene Barraza on Wed, Mar 02, 2011 @ 05:06 PM
  
  
  
Add to delicious  delicious  
  

describe the imageOkay, you've got the go-ahead to do a limited trial of an automated third-party risk assessment, leveraging a tool.  Your stated objective is to get two strategic vendors up on the software to reduce the cost of annual audits of these vendors.  But wait a second, don't miss your opportunities to really leverage your investment in ways much closer to home.

Traditionally, information security functions have grown up within IT.  Even though many of the functions of information security such as network security and even access control may stay within IT, the problem of measuring risk posture across the organization is getting more difficult for several reasons:

   New regulatory and standards definitions are driving to a more detailed, implementation-aware format;
   Organizations throughout the enterprise are gradually becoming more aware of information security but are "doing it themselves" which produces gaps and overlaps and an overall dispersion in direct accountability for information security which can detract from the attainment of overall risk objectives.

Consider treating your own organization as a "strategic vendor" for the purposes of developing a set of quantitative measures and focusing on the artifacts necessary to signify those measures.  Take access control for example.  Can your staff responsible for access control, produce clear policies governing how they handle access control requests, examples of properly approved requests, as well as reports of ongoing reviews of appropriate access controls as required by best practices?  How about metrics concerning access control?  Does the access control department maintain metrics for their handling of routine or exception access control requests broken down by platform, major department or division, etc.?  Using an automated third-party assessment tool, such questions could be delegated to your access control staff and the artifacts of compliance with best practices could be automatically entered by your staff or others on a decentralized basis and preserved for a point in time report on the effectiveness of your access control function.

Take business continuity planning as another example.  Tracing from impact statements through to detailed inventories mapped against physical location, tabletop tests of recovery plans, and formal review of off-site recovery drills, one can gain a complete understanding of the readiness of the organization to recover after a disaster of any magnitude based on the ability to identify and preserve artifacts that clearly point to the effectiveness of these processes within the organization.  Again, those responsible for BCP can use the third-party assessment system to securely and asynchronously place the artifacts of their work in a repository that enables a holistic view of information security across the enterprise.  This holistic view can be as quantitative as it needs to be.  For example an organization operating at CMM level III may be expected to have well-defined metrics for their function and a clear time series for those metrics which shows the success progression over multiple time periods.  A CMM level one organization, on the other hand, would not be expected to show as much repeatability in its operations and very likely might not have any year-over-year metrics yet in place.

While your business case for third-party risk assessment correctly focuses on the strategic importance, out-of-pocket savings, and relationship enhancement that occur when an effective tool is used with external parties for risk assessment, oftentimes important benefits are left out of the business case.  Just as the cobbler's children sometimes lacked shoes, the work of demonstrating best practices within information security is often relegated to a "when we can get to it" level of importance on the project list. Use your new third-party assessment tool to strengthen internal processes as well as to fulfill the external business case.  Who knows?  Next year a vendor may ask you "how do you do risk assessment internally?"  If you can demonstrate a process supported by an excellent third-party risk assessment tool, you'll be well on your way toward building a secure, high-quality third-party relationship.

Tags: , , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics