Measuring and Enhancing Third-Party Risk Management (TPRM)

Published January 31, 2024
by Dave Stenger

As organizations continue accelerating the adoption of digital workflows and shifting more resources and data into the cloud, most must turn to third-party service providers and outsourced vendors to evolve capabilities, optimize operations, and keep up with—or stay ahead of—the competition. As third-party vendors gain access to critical company data and critical systems, third-party risk management (TPRM) becomes essential in minimizing and thwarting threats to the organization

Amid the boom of remote work, heavier use of personal devices, potentially unsecured networks, and exponentially more vendors entering the third-party ecosystem marketplace, outsourcing poses another opportunity for a data breach or other cyberattack to strike. Many of the biggest, most infamous, and most costly data breaches in history took advantage of third-party vendors or software vulnerabilities introduced by an outsourced provider. 

According to KPMG’s 2022 Third-Party Risk Management Outlook, 73 percent of organizations have experienced at least one significant disruption due to a third party’s security. In a recent report by SecurityScorecard and the Cyentia Institute, research into more than 230,000 organizations reveals more than 98 percent have a relationship with at least one third party that has been breached within the past two years. Third-party vendors, the report finds, are five times more likely to exhibit poor security compared to the primary organizations themselves. 

What Is a Third-Party Security Assessment?

One of the key elements of a robust third-party risk management program is third-party security assessments. A third-party security assessment is a process in which an external entity evaluates an organization’s security posture or its systems. The primary goal of a third-party security assessment is to identify vulnerabilities, weaknesses, and potential risks in the target organization’s information systems, networks, and processes. Some specific aspects of security addressed in a Third-Party Security Assessment follow.

  • The organization’s network infrastructure security
  • The security of software applications developed or used by the organization
  • Physical access controls to facilities and data centers
  • The effectiveness of security policies and procedures
  • Incident response plans, including the organization’s ability to detect, respond to, and recover from security incidents

Third-Party Security Assessments Best Practices

Measuring and assessing your vendors’ and providers’ security posture helps ensure their practices meet your minimum security standards or industry-specific regulations. Assessing third-party vendors should include the following actions:

  • Define Your Security Requirements – Before you begin conducting regular security assessments, vendors should know your requirements. Clearly define security requirements in vendor contracts. Specify the minimum security standards that all vendors must adhere to, including encryption practices, access controls, and incident response procedures.
  • Classify by Tier and Prioritize Your Most Critical Vendors – Vendor risk management isn’t a one-size-fits-all process. Organizations can save time during provider onboarding or review by grouping vendors by tiers and customizing security assessment efforts based on how critical they are to operations. Not all providers present equal levels of risk. The security posture of vendors with access to sensitive proprietary information, customer payment data, or payroll details, for example, should be a higher priority with enhanced scrutiny over those that don’t.
  • Use a Control-Based Questionnaire – The Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire is one example of an industry-standard questionnaire designed to assess levels of risk and multiple aspects of a provider’s security. Industry-specific alternatives—such as the Higher Education Community Vendor Assessment Toolkit—are available, and preferred questionnaires should be tailored to address topics specifically relevant to an organization’s unique needs. The scores, patterns, or trends uncovered can illuminate a third party’s areas of strength or weakness in their security controls.
  • Subscribe to Threat Intelligence Feeds – Automated threat and risk intelligence feeds can provide valuable updates on new vulnerabilities and evolving risks, helping organizations stay proactive and on top of their immediate responses and long-term planning against threats. eSecurity Planet and Comparitech have compiled their top picks for the best threat intelligence feeds, many of which allow for configuring custom alerts for specific conditions. If new vulnerabilities are discovered, or data breaches occur involving one of your organization’s third-party providers, your organization will be alerted, allowing you to act swiftly and decisively.
  • Review Regulatory Compliance & Certifications – Ensure that vendors are compliant with relevant regulations and standards. Certifications such as SOC2, ISO 27001, and other widely recognized benchmarks provide additional third-party verification of vendors’ security posture and practices. Ensure that your organization’s outsourced providers’ certifications are up-to-date and valid. Any expired or outdated certifications could indicate a lapse in the vendor’s commitment to responsible security processes.
  • Vulnerability Scanning and Penetration Testing – Whereas questionnaires, intelligence feeds, and organizations’ certifications can offer valuable insights, they’re reliant on self-reported data and theoretical or hypothetical responses to threats. Comprehensive vulnerability scanning and simulated penetration testing offer hands-on, unfiltered, and real-world testing of providers’ security controls. Penetration testing as a service (PtaaS) options can be scaled and customized to assess various aspects of a third party’s security infrastructure. These services give organizations unparalleled looks into providers’ holistic security posture when combined with continuous vulnerability scanning.

TPRM processes and vendor security assessments should be part of every organization’s ongoing mission toward a stronger security posture. Safeguarding internal systems and infrastructure against third-party vulnerabilities can help accelerate new-provider onboarding and optimize the use of organizations’ resources during periodic reviews. 

The RAMPxchange marketplace is a valuable resource for discovering and connecting with third-party providers committed to enhancing their security posture. Learn more about our mission and join the coalition today.