Third Party – Minimizing Organizational Exposure by Mitigating the Wild Card in Security Strategies

2019 Shared Assessments Third Party Risk Management Toolkit Helps Organizations Replace FUD with Actionable Insight, Risk Management Best Practices, and Invaluable Tools.

by Catherine A. Allen, Chairman, and CEO The Santa Fe Group

The list of major data leaks caused by third parties grows almost daily. Third party vulnerabilities, exposure incidents, and hacks have been at the root of many of the last three years’ most troubling breaches.

“Third-party IT security risks can cause millions of dollars in loss and damage, and possibly irreparable harm to an organization’s reputation,” said Glen Sgambati, risk management expert with Early Warning Services.

Bad actors are increasingly organized, well- funded, determined and patient. They’ll apply the time and resources to successfully breach their chosen potential victim. They occasionally strike for political reasons, but more often their goal is financial gain.

The IT infrastructures of partners and other trusted third parties are one of a cyber criminal’s prefer red pathways into a chosen star get domain. This burdens organization with thoroughly assessing and addressing the potential risks and vulnerabilities of all partners, vendors and other third parties, as well as their own in-house vulnerabilities – an overwhelmingly broad intelligence-gathering mission for even the largest company, given the inventiveness and the diligence of bad actors.

Diligence obligates that the C-Suite ensure that their organizational risk management strategies and practices anticipate and manage the full spectrum of risks that result from interactions with physical and digital ecosystem partners while sustaining the agility to adapt to the ever-changing threat landscape.  Assessing and addressing the current state of corporate readiness and minimizing the organization’s exposure to unplanned events and their consequences is crucial.

Many of the world’s top financial institutions, energy and critical infrastructure entities, consumer goods corporations, manufacturers and security-minded organizations of all sizes combat the problem together as part of the Shared Assessments member community.  The member-driven consortium leverages the collective intelligence and risk management experience of a diverse cohort of practitioners, spanning industries and perspectives. The ‘intelligence ecosystem’ produces independent research, and drives best practices, tools, and certification standards that are used by thousands of organizations.

It’s the latest creation – the 2019 Shared Assessments Third Party Risk Management Toolkit – enables organizations to manage the full vendor assessment relationship lifecycle – from planning a third-party risk management program to building and capturing assessments, to benchmarking and ongoing evaluation of a program.

Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools:

The VRMMM evaluates third-party risk assessment programs against a comprehensive set of best practices. The VRMMM has always been the go-to place to understand the major building blocks of any vendor risk management program. Broken into eight categories the model explores more than 200 program elements that should form the basis of a well-run third-party risk management program. The VRMMM’s eight categories are Program Governance; Policies Standards, and Procedures; Contract Development, Adherence, and Management; Vendor Risk Assessment Process; Skills and Expertise; Communications and Information Sharing; Tools, Measurement, and Analysis; and Monitoring and Review.

The VRMMM has been updated and improved annually since 2013 and is the longest running third-party risk maturity model, vetted and refined by hundreds of the most experienced third-party risk management professionals and the basis for an annual published study. The VRMMM Benchmark Tools are free and available at vrmmm.

Standardized Information Gathering (SIG) Questionnaire Tools:

The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency and data security risks.   Think of it as the  “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information on a third party’s controls. It also lets partners reduce initial assessment duplication and assessment fatigue by supplying their own SIGs to outsourcers.

Standardized Control Assessment (SCA) Procedure Tools:

The SCAassistsriskprofessionalsinperforming onsite or virtual assessments of vendors. This is the “verify” component of a third party risk program. It mirrors the 18 critical risk domains from the SIG, and can be scoped to an individual organization’s needs

GDPR Privacy Tools:

Timely and immediately useful components that help organizations meet regulatory requirements on “controllers” (i.e., the organization who outsources services, data, etc. to third parties), who must appoint and monitor Data Processors (i.e., third parties/ vendors). The Privacy Tools can be used as part of a holistic privacy management program that reaches beyond the scope of GDPR and can be used both to assess service providers and to manage an outsourcer’s privacy data controls. The GDPR Privacy Tools cover both Trust and Verify for Privacy and tracks the inventory of where data is located.

New and Lighter Architecture, Custom Scoping, Assessment Streamlining

The toolkit’s lighter architecture supports new speed and flexibility in creating, administering and storing risk assessments. It also features a new Content Library of standardized questions and vertical-specific questions, and the opportunity to add custom questions and build questionnaires on the fly – ensuring standardization while also allowing customization.

Among other updates are:

  • Custom Scoping allowing organizations to scope by Domain, by Category, by Authority Document, by Tiered Scoping or by Individual Question Scoping ssments.
  • SIG and SCA Integration enabling outsourcers to create a Standardized Control Assessment (SCA) Procedure Tool for onsite or virtual
  • Constant Regulatory and Privacy Legislation Updates: The Toolkit is constantly updated with the most relevant and current US and International regulatory and privacy content such as NIST 800-53r4,  NIST  CSF 1, FFIEC CAT Tool, the EU GDPR and PCI 3.2.1.

The Toolkit was designed to work together to help third-party risk practitioners with all aspects of the third party risk management lifecycle – an Olympic-level task made considerably less daunting and far more efficient and programmatic by Shared Assessments.

Sgambati notes: “The continually escalating pace of attacks and the innovation that bad actors now employ means that organizations must be continuously vigilant. Given the scope of the threat, no one organization can go it alone. The Shared Assessments 2019 Third Party Risk Management Toolkit  is an asset that affords risk management professionals speed and flexibility in creating and conducting vendor assessments.”

About the Author

Third Party – Minimizing Organizational Exposure by Mitigating the Wild Card in Security StrategiesFor more than 30 years, Catherine A. Allen has been an outstanding leader in technology strategy and financial services and a key thought leader in business innovation. Today, Catherine is Chairman and CEO of The Santa Fe Group, a strategic consulting company based in Santa Fe, NM. The Santa Fe Group specializes in briefings to C-level executives and boards of directors at financial institutions and other critical infrastructure companies and provides management for strategic industry and institutional projects, including the Shared Assessments Program, focused on third-party risk. Catherine currently serves as a board member of Synovus Financial Corporation and El Paso Electric Company and is a member of the Risk, Energy and Natural Resources, Public Policy and External Affairs, and Nominating and Governance Committees. She chairs the Security Committee for El Paso Electric. She is co-chair of the University of Missouri’s Capital Campaign and sits on the Research and Development Committee. She is also on the board of Women Corporate Directors and the Executive Women’s Forum. She sits on the Advisory Committee for Houlihan Lokey and chairs the Board of Trustees for the National Foundation for Credit Counseling and the board of Appleseed NM. She is also a member of the Museum of New Mexico Foundation, International Folk Art Alliance, Lensic Center for Performing Arts, Communities for Schools in New Mexico, Valles Caldera Trust, and the Mark Twain Research Foundation boards. She was a former board member and Chair of the Technology Committee for Stewart Information Services.


April 24, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...