Blog

Incident Response and Third-Party Risk

December 7th, 2015 by Jonathan Dambrot

Today, the Shared Assessments Program released a briefing paper titled “Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program”.  The paper was developed out of great necessity, as it became clear that Program members needed additional guidance when managing incidents at the service provider level.

The goal of the paper is to offer a guide on effective third-party incident management across three distinct stages:

  1. Pre-incident
  2. During the incident
  3. Post-incident

Incident response has become a hot topic for organizations of all sizes as the level and sophistication of cyber-attacks continues to increase.  Additional requirements around the protection of data, as well as notification requirements, seem to be dominating the conversations with regulators and at the board of directors’ level.  Although there is a significant trove of information available on incident management, the topic of incident management and response in relationship to a third party outsourcing agreement has been notably missing.

Born as a project within the Shared Assessments Program’s Standardized Information Gathering (SIG) Development Committee, a group of industry thought leaders and contributors to the Shared Assessments Program who have experience in incident management at third parties, came together to develop the briefing paper.  It represents a great effort by those involved and I expect the final product will help companies of all sizes better prepare for and manage monitoring their third parties’ incident event management programs.  I would like to thank everyone who participated in the Third-Party Incident Response Subcommittee in support of the paper.

The next step is to determine the applicability of the information presented within the briefing paper to be included in the SIG itself or potentially as a separate Shared Assessments Program Tool.  If you find the briefing paper interesting and choose to incorporate it into your organization’s best practices, I would love to hear about whether it was helpful, led to changes in your organization’s approach and/or if you believe improvements should be made to the paper.  My organization, Prevalent, Inc., along with others on the Shared Assessments Program’s SIG Development Committee, will be hosting a webinar with more detail about this paper today and will make the webinar replay available within the coming weeks.

Please send comments on this subject to Jonathan Dambrot at blog@prevalent.net.

Categories: Blog
Tags: