A third-party’s perspective on third-party InfoSec risk management

More than ever, organizations are relying on third parties to streamline operations, scale their business, expand and leverage expertise, and reduce costs.

In the complex and fast-moving world of cybersecurity-meets-regulations, working with third parties requires diligent third-party risk management oversight to monitor data management and processes. Improving InfoSec risk management can provide insights into how data is handled, the security safeguards in place to protect that data, potential security weaknesses, and better adherence to the multitude of data, security, and privacy regulations.

Having visibility into your third parties’ risk is critical and the stakes are high — 84 percent of risk management teams have overlooked a third-party issue, according to Gartner. Don’t let this happen to you.

Fine tune your third-party risk management approach

Teleperformance is the most third-party-managed-company in the world, the trusted omnichannel solutions provider for 850 of the Fortune 1000 companies. Overseeing 400+ internal audits last year, we have firsthand experience with how organizations can get a better handle on third-party risk management, InfoSec due diligence, and alignment with security strategy:

Have clear contractual requirements around regulations…and update them

Is everyone on the same compliance page? Does your third-party entity understand your company’s expectations? With the myriad of regulations, standards, state-specific laws, and global laws around data — ISO/IEC 27001, PCI DSS, SOC 1, SOC 2, GDPR, California Consumer Privacy Act, HIPAA, HITRUST (to name a few) — make sure your contracts are regularly updated to reflect the latest regulations.

Consider this: You may not need to spell out the requirements that are covered in certifications in the contractual language, such as ISO 27001 or PCI DSS. This extra step is not necessary if you require your third party to provide certification documentation annually as external audits are completed.

Focus on the most important risks

When outsourcing services, what are your organization’s top risk priorities? Cybersecurity? Information security? Compliance? Physical security? Human resources security? Whatever they are, make them a priority for your third parties to align with and check on those priorities regularly.

For example, if you are outsourcing credit card processing or healthcare services, you need your third party to adhere to PCI DSS, HIPAA, and HITRUST controls and requirements at the minimum.

Launch a customer risk assessment

A risk assessment will examine all areas of information security, policies, and standards to identify possible risks, threats, and hazards. Once these have been identified, you can assess if and how you can mitigate the risks with controls, processes, or people. Identify what’s not perfect and then improve from there.

Do onsite audits

Not all your third parties pose the same risks. For those that have access to your IT environment or store your company’s data, onsite audits are the only way to truly understand the risks you are accepting and ensure the third party meets your contractual requirements. Third-party agreements should include a right-to-audit clause that will allow you to assess if the third party is acting in compliance with the agreement.

Ask to see documentation and proof

To ensure that compliance and audit requirements are met, ask to see certifications and audit trail paperwork. Data protection is more than a checkbox. It’s important to review your third parties’ cybersecurity policies regularly. Be reassured that your third party is maintaining appropriate levels of security controls and continually monitoring and adhering to regulations.

Assess what value you derive from a third-party risk manager

As ironic as it may sound, many clients use third parties to do their InfoSec due diligence on their behalf. If you already require your third parties to have industry-wide recognized certifications, hiring a separate third-party risk manager may be unnecessary.

While this is a growing market niche, many of these services are redundant to the rigorous ISO, PCI, and HIPAA certification processes involving accredited external auditors and onsite audits.

Ask questions

Keep your vendors on their toes. Ask if the third-party employees are trained in cybersecurity practices. Are those who handle or process your sensitive data cyber savvy? Do they undergo regular training on phishing and hacking, for example?

Third-party risk management is more than a checklist, especially when navigating cybersecurity, regulatory, reputational, and operational risks. Effectively protecting sensitive information, building brand reputation, scaling globally, and compliance adherence are just some of the reasons organizations need to up their third-party risk management game.