Want to print this checklist as a PDF for later use?
Read NCC Group's guide to creating an efficient Third-Party Risk Program (TPRM).
The traditional method of assessing third parties is broken. Many companies send out ineffective questionnaires that do not address risk because they lack the resources to support a proper program and simply need to check a box. The first step to a quality third-party risk program? Focus on establishing a robust method for prioritization and focus your resources on critical third parties.
Follow this prioritization checklist to identify your highest-risk third parties.
Have an accurate inventory of vendors and filter by security concerns.
Third-party lists become outdated because of changes in POCs and services offered. As simple as it seems, maintaining an accurate inventory is often overlooked. Next, organize by security concern (companies that store your data, have access to your environment, or that provide a tool or software) and create an assessment approach by vendor type and priority. Focus your efforts only on those vendors that need to be assessed.
Tailor the required controls based on the services/products being provided.
Asking about access controls and encryptions makes sense for a vendor that's storing your data. In this case, requesting background checks or general information about security policy would provide little to no value. Instead, why not focus on the data encryption standards or change control procedures which could directly impact your data?
Avoid generic questionnaires at all costs.
Why send a blanket questionnaire to third parties when you lack a clear understanding of what they do for you? Generic questions will get broad answers and convoluted results. Instead, be more focused and prescriptive in what controls you expect of the third party and how they directly address risks to your organization.
Treat your TPRM program as a partnership with the third party.
Organizations may need time to adhere to your control requirements, especially when working with small organizations and startups. Working with a third party as part of a corrective action plan (CAP) process could help build the relationship, support the business, and provide better visibility into the controls being implemented. More partnership, less audit.
Establish a strong line of communication upfront.
Auditing a vendor without proper communication is a good way to start a fight and tee up an adversarial relationship. Make sure to identify key personnel within the organization, such as a technical point of contact that can speak to the control information you need. Maintaining multiple points of contact can keep the process going in the event that your main stakeholder leaves the organization.
Assign dedicated resources to your program.
Maintaining the above points on prioritization can require a significant amount of time and effort, which are typically not accounted for within third party risk programs. If internal resources cannot be dedicated, leverage an external firm and/or include a tool to speed up the prioritization process.
Once you've checked off the above points, you'll be ready to complete a focuses assessment for your most important vendors.
NCC Group's Third-Party Risk Management services can help assess the security capabilities of key partners to provide a clear picture of the risks they represent.