An ISACA white paper released this month outlines recommended guidance for organizations to better manage third-party vendor risk across their enterprises.
“Managing third-party risk is a critical aspect of cybersecurity programs overall, as the digital walls separating enterprises from third parties are lowered and the world becomes more interconnected,” ISACA said.
To help manage risk, the report said that enterprises should first conduct third-party risk assessment processes, which can ascertain “the risk to the enterprise from engaging with a third party and the impact of that risk on enterprise objectives.” This process asks third parties about their data privacy and use management, the potential for data loss, as well as data classification and control-based questions.
ISACA said that organizations should then conduct third-party risk analysis processes, which include threat modeling and determining risk ratings. Finally, organizations should conduct assessment closeouts and ongoing monitoring.
“Risk ratings are assigned to third parties, criticality to control deficiencies, and gaps are managed through a closeout process that allows an enterprise to properly manage the third party, influence future terms and conditions on the contract, and protect enterprise interests,” ISACA said.