This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.
The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.
What entity, or sector doesn’t engage with a third party in some way, shape or form? Not many. The reality is that outsourcing, contracting and subcontracting happen all the time and is the norm as businesses continue to embrace the core/context mindset and division of labor. The more you outsource, the more you need to have a robust third-party risk management process (TPRM), also known as vendor risk management, plan in place.
Risk management is not new, but the current iteration of TPRM logic typically focuses on three parts:
Risk assessment and analysis
Risk evaluation and
Risk treatment.
I had the pleasure of chatting with David Medrano, director of third-party risk management at Morgan Franklin, who shared his insight on the importance of TPRM and vendor oversight. Medrano explained that many enterprise entities may have over 1,000 separate third-party engagements and, therefore, must have a methodology to measure the risk each of those presents.
Medrano said that while many entities know their contractors, they may lack visibility into the contractor’s contractor; thus, a daisy chain of outsourced work may be taking place which places data at an unknown level of risk as the third party shares it with a fourth party and so on. The most important thing an organization can do, in this case, is to categorize vendors in the planning/strategy phase. Suggested risk buckets may include critical vendors, physical vendors and technology vendors.
“Bucket them according to how and what they do and how their third-party actions present a risk to you,” Medrano said. The risk from the coffee vendor, for instance, is not the same as the risk provided by an MSSP. He advised caution with regard to allowing more risk to be accepted than the vendor’s worth or value to the enterprise.
Medrano also advised keeping the methodology used uniform, as that can help manage risk while also showing customers, regulators and compliance entities that the company has a methodology in place to measure and address risk and explains the company’s thought processes with regard to its actions.
TPRM Tools
Ironically, there are a plethora of vendors (yes, third parties) who are prepared to provide you with tools to create your TPRM program, there are also standardized methodologies available from the U.S. government. For example, the National Institute of Standards and Technology (NIST) has created a TPRM framework to help companies create a consistent and uniform TPRM plan which is adaptable to their unique needs. The NIST framework can help you:
Prepare – Essential activities to prepare the organization to manage security and privacy risks
Categorize – Categorize the system and information processed, stored and transmitted based on an impact analysis
Select – Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
Implement – Implement the controls and document how controls are deployed
Assess – Determine if the controls are in place, operating as intended and producing the desired results
Authorize – Senior official makes a risk-based decision to authorize the system (to operate)
Monitor – Continuously monitor control implementation and risks to the system
In sum, every business unit should be using a TPRM system, regardless of if their engagement with third-party vendors is centralized or decentralized. Additionally, uniformity in the assessment is of paramount importance, Medrano said.
This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.
The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.
Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.
So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.
This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.
And that’s not because everything is fine and dandy with these vendors’ security controls. The survey showed that a slim 14% of these professionals are highly confident that their vendors are performing security requirements. That’s not from an utter lack of investment. At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. Some of these programs are just getting underway, but many have been established for some time and the average age of these programs is now five to six years.
Obviously, these investments in TPRM programs are not being fully realized through effective risk reduction, so what gives? The survey results indicate that this may be classic checkbox compliance scenario. According to respondents, regulatory compliance is the runaway top driver for development of their company’s TPRM program. Some 62% cited compliance as their number one motive for running a program, in contrast to just 22% who named executive mandates and 16% who cited customer requirements.
This likely explains why so many organizations today still rely so heavily on security questionnaires, as that’s the bare minimum required by most compliance regimes. The survey showed that twice as many organizations regularly utilize questionnaires – 84% – as compared to those (42%) who utilize a more verifiable assessment method like cybersecurity ratings. This is in spite of the fact that only about one in three TPRM professionals actually believe questionnaire responses.
Clearly there’s more work to be done. The good news is that the forces at play within the TPRM world are following a maturity playbook that most cybersecurity and risk professionals know well.