Managing data risks created through necessary outsourcing of company and customer data to third party vendors can often seem a daunting maze. Some of the challenges that companies face when engaging third parties involve: trusting third party data security policies; ensuring that third party vendors have adequate controls in place; or assessing and managing the number of third party relationships (what if the vendor outsources to another vendor?). Yet, we believe that there is a map out of the maze, which can make third party risk more manageable.
Organizations should focus on third parties that are supporting critical business functions and are creating the most risk for the business; then they should tailor requirements and due diligence to align with the risk of each third party.
Leading organizations use a two-pronged approach for high-risk third parties. They perform periodic security control assessments, either internally or leveraging consortiums, and then actively monitor third-party networks for signs of security incidents and malicious activity using threat intelligence feeds.
Adam Schrock, Managing Director,
Grant Thornton Risk Advisory
Companies can start by taking the following actionable steps:
Download the infographic to read more
- Segment third party risk services according to risk (from high risk to no risk)
- Scope controls based on assessment of third party service categories
- Collect due diligence artifacts and control information based on risk
- Assess controls to ensure design adequacy and operating effectiveness
- Remediate ineffective controls and track to closure
- Report to ensure visibility through good communication from the board to operations
- Monitor risk, compliance, and performance throughout the third party lifecycle