Training Session Video
Every company has their own third party due diligence method. Mostly a mix of questionnaires, open source investigations, sometimes onsite assessments. This is not efficient in today’s world as poor vendors are forced to spend 100s of hours each year filling in questionniares with same or similar questions over and over again. It’s not efficient for every outfit to ask their own Qs that are very similar. But CISOs are reluctant to trust BitSight/RiskLedger/other 3rd party compliance snapshots. So, how do we do dynamic assurance in a collective manner?
Last year, we said we should have a restricted opensource platform where the members would agree on a framework and scoring system for third party due diligence from cyber perspective. (later may be expanded in other compliance areas too) We later found out there are a few commercial platforms like OneTrust Vendorpedia / RiskLedger / IHS Markit KY3P and this year we will continue the discussion on CISOs view on these and potential limitations they are facing.
Things to consider:
[These are from last year] Are we assessing the corporate controls of the vendor or their solution’s security, or both? What framework or frameworks best suited for this? MITRE, NIST, ISO?? Scores on maturity, flags on category of information classification that is recommended to be shared with the vendor (i.e. do not share non-public information with this vendor until they remediate findigns A, B, C) Funding for the activites - should we form a consortium like what FS-ISAC does for threat intelligence? If the third party is critical outsourcing partner, would the standard evaluation be sufficient, or should there be additional things to consider.
Watch this space.
In last ten years, every job I had included third party assurance work and I kept sending similar questionnaires to same vendors over and over. This needs to be improved and in this era of open sourcing everything, we can do better.
Back to list of all Working Sessions