nformation Security Risks assisted Business models for banking & financial services(BFS) institutions have evolved from being a monolithic banking entity to multi-tiered service entity.
What this means to BFS companies is that they need to be more updated and relevant with regards to technology & the quality of all services provided to their clients. The most opted methodology to do that today is by means of outsourcing services to vendors & 3rd parties.
Though outsourcing is cost beneficial to companies, this approach comes with its own set of drawbacks. It is judicious to say that every outsourcing enterprise should be aware of the risks that vendors bring to the table.
Though vendors bring in a lot of operational Information Security Risks depending on the business engagement, a methodology to manage only the 3rd party Information Security Risks are discussed here.
Just to provide a sense of the impact that vendor Information Security Risks brings to organizations, below are some of the facts from surveys conducted by Big 4 consulting companies like PwC & Deloitte.
“The Number of data breaches attributed to 3rd party vendors has increased by 22% since 2015”- Source PwC
According to Deloitte “94.3% of executives have low to moderate confidence in their third-party risks management tools & technology, and 88.6% have low to moderate confidence in the quality of the underlying Information Security Risks management process” .
We know the problem now, how do you begin resolving it??
A perfect place to begin is with the sourcing team and /or procurement team depending on how your organization is set up. In an ideal world, these teams are expected to have an inventory of all vendors, 3rd parties & Partners of your organization.
Once we have this inventory in place, the IT vendor risk management (IT- VRM) team needs to segregate the IT vendors from the non-IT ones. This is a onetime activity. For future needs, it is recommended to have the sourcing team segregate vendors basis on their business engagement (IT vs Non-IT).
Understanding your Vendors & the Information Security Risks they carry:
One of the simplest & efficient way to understand your vendors is by having a scoping checklist, that details the vendor business with your organization, kind of data touchpoints & exchanges, kind of Information Security Risks that your organization is exposed by this outsourced business.
This information is usually available with the vendor manager representing your organization in the vendor relationships.
Below is the list of Information Security Risks pointers (not limited to) that you might want to consider asking your vendor manager.
- Regulatory risk – Does this relationship affect your regulatory posture? What is the penalty associated with such regulatory non-compliance?
- Reputational risk– Does this service impact your clients & the reputation you hold with them?
- Financial risk– Any financial Information Security Risks associated with business engagement?
- Information security risks – what data are shared as part of the business engagement with the vendor? how secure is the vendor with regards to protecting your organization data?
- Resiliency risks – Does the vendor introduce any single point of failures to your business practices?
For understanding the level of assessment to be performed with the vendor, you will need to understand the vendor’s business operating model.
Below is an indicative list of themes that you might want to discuss with vendor manager to understand the scope of the vendor assessment.
- Data attributes shared & received with the vendor, volume of data & frequency
- Mode of communication/interfaces with a vendor – Mail, remote connection to vendor network, the remote connection from vendor to your internal network, data upload only, data download only, vendors are brought on-site & connect from your offices to provide services
- Services provided – Data center services, Application provider, Cloud service provider, Data processing services, & many others.
Information Security Risks Rating, Assessment recurrence & Assessment type:
Cybersecurity and Third-Party Risk: Third Party Threat Hunting
