Let’s Reassess How You Think About 3rd Party Assessments!
Caveat: We can’t possibly provide a complete 3rd Party consulting framework in a short blog. This post is to provide you with a new framework for 3rd Party risk and new thinking in assessments.
First, let’s clearly define what a 3rd Party is. We believe they encompass all of the following: suppliers, 3rd Party agents, contractors, distribution centers, call centers, contract manufacturers or assemblers, outsourcing firms, service providers (SaaS, Cloud, and a thousand more).
Second, understand the following:
- You have already been breached and don’t know it. So get your head around that.
- Change is constant, and the result is asymmetrical warfare against your firm – from lone wolf hackers to disgruntled employees to state-sponsored programs.
- There will be more regulations, not less.
- You will have more 3rd Parties or more exposure to existing 3rd Parties than you do now.
- Silos of information kill.
Third, detail your 3rd Party process as it exists today and compare it to this list:
- 3rd Party Registration
- Qualification In or Out
- Onboarding Process
- On-Going Review and Assessments for Risk and Compliance
- Performance (SLA) Review
- Random Audits, Inspections, Assessments on New Vectors/Threats
Fourth, drill down even further with the following diagnostic questions:
- How many assessments do you do per quarter?
- How many 3rd Parties do you maintain, and how often do you do assessments?
- Why do you need to assess these vendors?
- Do you assess everyone and in the timeframe you want to?
- What is your current assessment process?
- What tools are available to use?
- How many steps are there?
- Who does it?
- Is this on top of their regular job, or is it a separate function/role?
- What is the average length of time that it takes to complete an assessment?
- Do you find that you are asking the same or similar questions over and over again?
- Do you have any method of tracking answers and how they change over time?
- Do you have a way to view historical answers?
- Where are assessments and any documentation stored?
- What kind of reporting do you have?
- Does it meet your needs?
- Does it give you the intelligence you need to make the right decisions?
- Which stakeholders need to see this reporting?
- Any specific risks these people care about the most?
- What software tools, if any, are you using?
- What systems would it need to integrate into if you had a solution for this?
Next week for our final blog post in this series, we will provide a solution for decision making that will prevent you from entering the assessment trap, avoid the manual maze and legacy GRC systems, all while helping you in this new way of thinking about assessments.