Third Party Assurance

Didar Gelici

Alan Jenkins

Tony Richards

Demi Ben-Ari

Elad Shapira

When (day):

Wed

At:

17:00 - 19:00

Track:

CISO and Risk Management

Topics:

Watch

Zoom link will be available very soon

Register:

Add this session to my schedule

Training Session Video

Session Slides

Why

Every company has their own third party due diligence method. Mostly a mix of questionnaires, open source investigations, sometimes onsite assessments. This is not efficient in today’s world as poor vendors are forced to spend 100s of hours each year filling in questionniares with same or similar questions over and over again. It’s not efficient for every outfit to ask their own Qs that are very similar. But CISOs are reluctant to trust BitSight/RiskLedger/other 3rd party compliance snapshots. So, how do we do dynamic assurance in a collective manner?

What

Last year, we said we should have a restricted opensource platform where the members would agree on a framework and scoring system for third party due diligence from cyber perspective. (later may be expanded in other compliance areas too) We later found out there are a few commercial platforms like OneTrust Vendorpedia / RiskLedger / IHS Markit KY3P and this year we will continue the discussion on CISOs view on these and potential limitations they are facing.

Things to consider:

[These are from last year] Are we assessing the corporate controls of the vendor or their solution’s security, or both? What framework or frameworks best suited for this? MITRE, NIST, ISO?? Scores on maturity, flags on category of information classification that is recommended to be shared with the vendor (i.e. do not share non-public information with this vendor until they remediate findigns A, B, C) Funding for the activites - should we form a consortium like what FS-ISAC does for threat intelligence? If the third party is critical outsourcing partner, would the standard evaluation be sufficient, or should there be additional things to consider.

Outcomes

Watch this space.

Who

In last ten years, every job I had included third party assurance work and I kept sending similar questionnaires to same vendors over and over. This needs to be improved and in this era of open sourcing everything, we can do better.