8669820865?profile=original

 
 

In modern days, businesses are increasingly looking forward towards outsourcing to third party vendors. Biggest challenge for these organisations going forward is to list out critical, trustworthy vendors and keep an eye on them, so as to prevent information passing onto fourth party. According to Bomgar, 67% of global IT decision makers reported suffering a breach due to unsecured third-party access. We had a panel discussion on "Quantitative Approaches for Measuring Third and Fourth Party Risks" at our CISO Platform Top 100 Decision Summit 2018, including industry stalwarts like,
 

 

 
Panelists:
  1. Mihir Joshi ( DSP BlackRock Investment Managers)
  2. Manoj Kuruvanthody (Infosys)
  3. Prateek Mishra (IDBI Federal Life Insurance)
  4. Vikas Yadav ( Max Life Insurance )
  5. Rajiv Nandwani (Innodata Inc.) [moderator]

   

 
Key Learning: "Quantitative Approaches for Measuring Third and Fourth Party Risks"

 
 

  1. Third Party- Types of Risks
    1. Business/Financial Risk - Risking the business and revenue due to third party interference
    2. Relationship Risk: Jeopardizing the relationships with several customers and vendors
    3. Operational Risk: Risk of the operations getting disrupted

  2. How to Map out list of vendors, coverings all the risks involved & evaluating the vendors?
    1. Categorizing Vendors on the basis of
      1. Amount of data shared
      2. Amount of money invested
      3. Criticality of vendors, and hence calculating Quantitative Risk Value
    2. Performing Sample Audit on vendors at regular intervals
    3. Using Technology like VDIM to reduce risks from third party vendors, making sure data doesn't flow out.

  3. Fourth Party Discovery Process: Though it's a gray area, but there are few ways to discover breaches due to Fourth Party
    1. Including a fourth party questionnaire in your due diligence process, before beginning relationship with the third party at the actual time of incident

  4. Regular Monitoring of Third Parties including Breach, if any
    1. Specifying breach lubrication clause in contracts/Agreements with Vendors
    2. Inclusivity: Rather than being a supervisor on vendors, be an adviser for its security assessment.
    3. Continuous vendor risk management risks solutions can be implemented. Example: Firecompass, Bitsight.

  5. In a nut shell, it can be concluded that,
    1. Well-documented contracts/agreements plays a vital role in third & fourth party risk assurance
    2. Regulatory compliance needs to be mentioned in contracts
    3. Business Unit must have a Third Party Risk Management Framework in place
    4. Tools like DRM, sample audit can be handy in identifying 3rd and 4th Party Risks

 
 
 Would you like to share your key learning ? Sign Up and write a blog ! It's free

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)