3rd Party Risk Review

Who are your most critical 3^rd parties? What access do they have, what data do they hold and what assurances do you have from them?

You are here: Home » Services » 3rd Party Risk Review

3^rd Party risk from your supplier(s) is becoming an ever-increasing problem. Various attacks originate from 3^rd parties, whether that’s via malicious software packages, hacked systems or simply poor cyber security governance by those 3^rd parties.

We work with numerous clients to understand their organisations, the business context, threats faced, risk appetite, senior management, geopolitical nuances and their supply chain. All organisations place different priorities and handle their risk differently depending on these factors. Though there are 4 key actions all organisations must do;

Request

Suppliers and key partners need to provide you with substantive information relating to their own Cyber Security policies, processes, procedures, capabilities, monitoring and governance actions that makes them an organisation to do business with.

Request(s) can be via questionnaires, interviews or informal discussions, but this is the 3rd parties chance to articulate what they do and don’t have and what they do well and where there may be gaps to be addressed.

Review

The 3rd party should be able to provide you the following, at minimum, for you to review;

Information security policy and procedure(s)
External validation reports e.g. vulnerability assessment, penetration testing or code reviews
Incident Reponses / DR capabilities
Security resources and monitoring in place
Their own requirements and validations for their 3rd parties
Accreditations* / Audits

*Be careful of any 3rd party supplier providing their IT / datacentre / cloud providers SOC2 report(s) (or similar) as validation of their own capabilities. SOC2 audits and reports should be scoped to the 3rd party in question.

Validate

Validation is critical; a 3rd party may provide all the documentation they have, though it needs to be validated that such policies, processes, resources, tooling and capabilities are effectively implemented.

Validation can be achieved in numerous ways, though is predominantly via;

External validation reports
On-Demand code review / scans of infrastructure
Requesting further Vulnerability assessment(s), Penetration Testing or Cyber Security Maturity reviews to validate capability in place

Improvement

Continual Improvement and Execution is vital to ensure a 3rd party maintains their cyber security controls. The 3rd party needs to provide (high-level) plans outlining how they plan to continually improve their own Cyber Security maturity, meet your expectations and continue to be a valued partner.

Speak to a Consultant to assist with your 3rd Party Risk Review(s)

Our consultants work with organisations to identify their most critical suppliers and advise on strategies, process and reviews of those 3^rd parties to ensure they align or surpass the cyber security requirements you’ve implemented within your own organisation. A 3^rd party who wishes to work with you and provides systems or services must be willing to demonstrate their own cyber security maturity, otherwise it is futile to do business with them, as they will likely become your organisations weakest link.

Get in Touch

Please get in touch using the form below.