Taking steps to secure your organization and communicating to your stakeholders is no small feat. As you level up your organization’s Information Security program, it is important to consider how all of your suppliers likewise support your business and protect your data.

While attributed to former President John F. Kennedy, it is not clear who first said a “rising tide lifts all boats” but the aphorism certainly applies to the world of Information Security and Third Party Risk Management (TPRM). The concept of TPRM is a form of risk management focusing on identifying and reducing risks related to third parties. These third parties could be suppliers, vendors, partners, contractors and/or service providers. Any third party that receives the confidential data of your organization or a company that your business relies on should be reviewed in a manner that identifies the risk of conducting business. To put it another way, a business with an Information Security Management System (ISMS) that also has a business continuity/disaster recovery/IRP plan can be relied on to deliver whereas a company that does not will inevitably suffer downtime and even the risk of losing your confidential information.

Steps to build out a TPRM program

1. Identify
   1. Start by identifying all of the third parties, vendors, partners and tools used by your organization.
2. Define, classify and prioritize
   1. Data types (Confidential, PII, HIPAA, GDPR)
   2. High, medium and low risk categories of vendor
   3. Data location stored externally, internally or software installed in house
   4. Third parties crucial to production/sales
   5. Frequency of ongoing reviews, annually, bi-annually, one-time onboarding assessment
3. Assess risk
   1. What information do the third parties have and where is it stored
   2. Identify stakeholders and owners
   3. What risk matters to the organization
      1. organizational, compliance, reputational, financial and strategic
4. Determine the security frameworks and regulatory requirements
   1. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
   2. Best Practices in Cyber Supply Chain Risk Management
   3. ISO/IEC 27002:2022
   4. The NIST Cybersecurity Framework (CSF) 2.0
   5. GDPR/Privacy
5. Assess risk on individual third parties
   1. Utilize technology
   2. Automate processes
   3. Monitor for ongoing risks/incidents
6. Offboarding third parties
   1. Removing access
   2. Deleting, returning data

A proper TPRM program is an inventory of the partners that have or use your data and how they perform those tasks. Regardless of the maturity or scope of your program, you should also take in to account fourth party relationships or, the third parties your vendors use to perform business functions. Common fourth parties are data/colocation centers such as AWS, Azure and GCP.

In the next article, we will look in to securing an Office 365 environment with some simple scripts and best practices that are cost effective.