Governance and oversight are essential for any third-party risk management (TPRM) program. It is crucial to find and monitor important suppliers and their weaknesses. However, even the most organized third-party risk manager can struggle with managing third-party risks without proper oversight.
Without proper program governance, your organization may not have the right processes, people or technologies in place to manage third-party risk effectively. This compromises your organization’s ability to reduce the chances of a data breach, mitigate operational challenges, and ensure that the company can remain compliant with a myriad of regulatory regimes.
In this post, we define governance and oversight, identify key attributes of a well-governed TPRM program, and recommend steps to ensure your TPRM program has proper oversight.
Governance and oversight are the disciplines where organizational stakeholders identify, establish, manage, monitor and improve processes. In most cases, this means using a governance framework and creating your TPRM program based on agreed-upon standards and practices.
Many third-party risk management programs prioritize monitoring cybersecurity as the main risk category. For that reason, we’re going to look more closely at the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 guidance as a framework for governance and oversight in TPRM. Specifically, we will examine the Govern function introduced in the new version of the NIST CSF.
A new function introduced with version 2.0, Govern is foundational and designed to inform how an organization will achieve and prioritize the outcomes of the other five Functions in the framework – Identify, Protect, Detect, Respond, and Recover – in the context of its broader enterprise risk management strategy. The Govern function includes oversight of the cybersecurity strategy, roles, responsibilities, policies, processes and procedures, and it centralizes cybersecurity supply chain risk management guidance.
The initial component of the Govern Function, GV.SC-01 focuses on establishing the core objectives, policies and processes for TPRM internally. Collective understanding and consensus among internal stakeholders is key for long-term TPRM success. This part of the NIST CSF involves developing a comprehensive program. The program should be in line with your organization's information security, risk management, and compliance programs.
All internal stakeholders should be aligned on the policies, procedures and overall strategy of TPRM. Your program should also optimize the entire third-party risk lifecycle – from sourcing
and due diligence to termination and offboarding – according to your organization’s risk appetite.
Align Your TPRM Program with NIST CSF 2.0
Read the Third-Party Compliance Checklist for NIST Cybersecurity Framework 2.0 to assess your third-party risk management program against the latest C-SCRM guidelines.
This second facet of the Govern Function, GV.SC-02, relates to defining clear roles within the program for external participants. You can do this by using a RACI matrix to determine who is responsible at each level in the TPRM program. Arguably the more important piece here is communicating to your vendors, suppliers, partners and customers any expectations you have for them under your TPRM initiative.
Vendors, suppliers and partners need specific roles in the TPRM program and take accountability for tasks such as timely delivery of their completed assessments and supporting evidence, incident response, and ensuring their security controls are fully implemented.
A critical feature of governance and oversight for TPRM is tying the program into the larger enterprise risk management or information security program as noted in GV.SC-03.
Trying to manage this initiative as a separate track within your company is a recipe for long-term disaster. Practically, this means aligning assessments and continuous monitoring of vendor cyber, operational, financial and reputational risk with your organization’s broader cybersecurity monitoring, as well as incorporating supplier key performance indicators (KPIs) and key risk indicators (KRIs) in line with your organizational priorities.
GV.SC-04 in the NIST CSF refers to tiering suppliers based on how critical they are to the business. To do this effectively, you need to quantify the inherent risks for all third parties that interact with your business. You can calculate inherent risk using qualifiers such as:
Once you’ve quantified the inherent risk of each supplier, you can place them into priority tiers based on risk score and how critical they are to the business. The suppliers that fall into a higher tier than others might require more strenuous stress testing via ongoing assessments and other risk controls.
To meet the GV.SC-05 requirement in the NIST CSF framework, you must centralize vendor contract management. Additionally, you need to automate the lifecycle of these contracts and enforce important clauses. The full contract lifecycle means the development, distribution, discussion, retention and review of vendor contracts. The key capabilities to fulfill this requirement include:
Including these features in your TPRM program enables you to articulate right-to-audit clauses and establish clear responsibilities in vendor contracts. Then, you can track and manage service level agreements (SLAs) to streamline your governance and oversight of third-party risk management.
Take Control of the Contract Lifecycle
Learn how to streamline contract lifecycle management while minimizing your organization’s exposure to third-party risk.
Before beginning any formal supplier or third-party relationship, organizations must conduct due diligence to minimize risks. As part of the GV.SC-06 control, centralize and automate the distribution, comparison and management of any requests for proposals (RFPs) and requests for information (RFIs) in line with your third-party risk assessment process.
That central automated solution should enable you to compare RFIs and RFPs on key attributes. This comparison is important because it can help teams create comprehensive vendor profiles. These include information about the vendor's demographics, technologies used, ESG scores, recent business and reputation updates, data breaches, and financial performance.
This level of due diligence will result in greater context for vendor selection decisions. In an ideal scenario, conducting a risk analysis before initiating a formal business relationship means that your residual risk can be lower overall.
In GV.SC-07, the CSF recommends identifying, recording and monitoring the risks that suppliers pose to your business. One of the best ways to do this in your governance and oversight of TPRM is to look for solutions that have a large library of pre-built third-party risk assessment templates. You should conduct these assessments at a few different points in your supplier relationship: onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes or events.
Ideally, a central management system manages these assessments and supports them with workflow, task management, and automated evidence review. The added review capabilities built-in with these solutions enable your team to have more visibility into third-party risks throughout the relationship lifecycle. Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.
Part of this TPRM process also involves continuously tracking and analyzing external threats to third parties. To do this effectively, you need to monitor the Internet and the dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Understanding the lay of the land in terms of external threats can help you better track any potential risks to your critical infrastructure. You should correlate all of your monitoring data, regardless of source or type, with assessment results from your suppliers. Then, centralize everything in a unified risk register for each vendor.
Unifying all this data enables you to streamline risk review, reporting, remediation and response. Once you have this in place, you can incorporate any third-party operational, reputational and financial data as well. This “non-cyber” data provides needed context to cybersecurity risk data. The centralized data store also enables you to measure the impact of any incidents over time.
As part of your broader incident management strategy, you should ensure that your third-party incident response program enables you to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. This is at the heart of the GV.SC-08 control. A dedicated, in-house team can do this, but realistically many organizations lack the skills necessary for effective incident response – especially when it involves a third party.
A managed service that employs dedicated experts to centrally manage your vendors, conduct proactive event risk assessments, score risks, correlate those risks with continuous cyber monitoring intelligence, and issue remediation guidance can be incredibly valuable. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place.
Key capabilities in a third-party incident response service include:
Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. This will provide additional historical insight into the susceptibility of a supplier being breached.
Armed with these insights, your team can better understand the scope and impact of the incident. This includes the involved data, the impact on the third party's operations, and the completion of remediations.
9 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Tackling the GV.SC-09 facet of the Govern function requires a strong performance management focus. In practice, this means determining whether vendors are meeting service level agreements (SLAs), applying the recommended remediations, and adhering to any necessary compliance mandates. You also need to monitor supplier performance against these requirements. Doing that can showcase where there might be gaps in delivery against SLAS or against any other recommended actions.
Part of that monitoring also involves determining the right KRIs and KPIs for suppliers. Once you understand what metrics to judge your vendors and suppliers against, you can track their performance against them to show improvements. You should monitor and measure these within a third-party risk management tool to make reporting on metrics easier.
Building on the best practices recommended for GV.SC-05, organizations need to automate contract assessments and offboarding procedures to reduce their risk of post-contract exposure. In the GV.SC-10 facet of the Govern Function, this can take the shape of:
An important component of this step is to ensure business continuity during the transition period between the terminated agreement and the onboarding of a new supplier.
Governance and oversight are as key to effective third-party risk management as risk identification and mitigation. Without agreement on processes and key metrics, you’re unlikely to achieve your risk reduction goals. As the Cheshire Cat said in Alice in Wonderland, “If you don’t know where you’re going, any road will take you there.”
Governance and oversight ensure that you know where you’re going and are taking the right road to get there. Using the NIST CSF 2.0 Govern function will provide a solid foundation for building governance into your third-party risk management program.
For more on how Prevalent can help you establish and mature your TPRM program, request a personalized demonstration today.
2025 promises to be a consequential year for third-party risk management. Read our top TPRM predictions...
12/12/2024
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
11/08/2024
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024