Holistic third-party risk management (TPRM) programs combine periodic, inside-out assessments of internal vendor controls with continuous, outside-in monitoring of their external threats. By complementing vendor assessment results with a stream of outside intelligence, you’ll gain a more complete understanding of each vendor’s potential risk to your business.
When building monitoring into your third-party risk management program, be sure to tap sources of vendor intelligence that are both broad and deep. This post will get you started by outlining a use case for continuous monitoring and revealing key sources of third-party risk intelligence. It will also share best practices for success along the way.
Informing your vendor risk assessment activities with real-time cyber and business monitoring intelligence will make your TPRM program more continuous and less reactive. For example, you can use monitoring to scan the dark web for a vendor’s vulnerabilities, breaches and leaked credentials. You can then correlate this data with information gathered from vendor assessment questionnaires to reveal inconsistencies in password and/or patch management controls.
A strong TPRM solution not only handles this analysis, but also includes rules and automations that trigger follow-up assessments. This approach closes the loop on third-party risk and transforms point-in-time assessments to continuous risk monitoring.
Making sound, risk-based decisions means consuming and normalizing data from many disparate sources. It’s easy to spend a lot of time finding, centralizing, and making sense of the data behind your vendor security posture. That’s why it’s important to consider a TPRM solution’s ability to aggregate and report on third-party intelligence in an actionable way.
Whether you’re evaluating risk monitoring solutions or taking a manual approach, be sure to look into these sources of third-party risk intelligence:
Common sources of publicly available – and likely free – third-party threat intelligence provide general industry news, trends and breach updates:
Private sources of third-party risk intelligence include fee-based data services and websites that may be difficult to find or dangerous to navigate. These sources can provide more detailed business and cyber risk intelligence about your third-party vendors.
Reliable providers of this intelligence feature a global research team that continuously searches for vendor exposures, utilizing multiple risk intelligence partners. This approach can deliver analytical insights that are particularly broad and deep.
*Monitoring hacker forums and dark web sites is best left to professional security researchers!
Industry and government regulators are critical sources of third-party risk intelligence. Many will publish information about enforcement actions and violations, which can result in fines or lawsuits affecting a vendor’s operations.
Your organization may also be legally required to ensure that its third parties meet compliance requirements. This can be accomplished by conducting vendor assessments and validated them with continuous monitoring.
Examples of major regulations and regulatory bodies that come up in third-party risk management include:
You can see a table of regulations that require vendor assessment and/or monitoring in our compliance section.
If your industry has an information sharing center (ISAC), then membership in this organization should be mandatory for you. Examples include:
Chances are, you are using several different products to manage risk throughout your enterprise. If your solutions operate in silos, then investigate how integrations can benefit your third-party risk intelligence gathering. For example, many organizations utilize ticketing and operations management solutions (e.g., ServiceNow) in conjunction with vendor risk monitoring solutions. In this case, linking ticketing with risk data can help to accelerate decision-making and facilitate remediation.
As you collect answers from completed assessments, you should ideally track and report on the responses in a central risk register. While third-party intelligence gathering is usually conducted on an individual basis, centralizing the data can inform subsequent activities across groups of industry vendors.
Common industry-standard assessments include:
This is where the use case mentioned above comes into play. With automated rules, you can take vulnerabilities discovered through continuous monitoring, correlate them against assessment responses, and use the findings to trigger follow-up assessments.
Libraries of completed vendor assessments can provide you with the baseline assessment and risk scores for thousands of organizations. They are especially helpful for conducting sourcing and procurement due diligence on potential vendors. They also can give your security team a head start on risk analysis for your most important suppliers. Be sure to select a service that goes beyond delivering assessment scores to at least include external cyber security ratings. This will help you to bridge the gaps between vendor assessments and updates to the library.
More intelligence leads to better, more informed decision-making. Prevalent offers a range of vendor risk management software, networks and services that integrate assessment and monitoring to deliver a 360-degree view of third-party risk.