The Role of Third-Party Management in Cybersecurity
By AJ Yawn
It is almost impossible to monitor a cybersecurity news cycle without reading about another organization experiencing a breach caused by an exploited third-party vendor vulnerability. For example, 1 million of healthcare provider Kaiser Permanente’s health records were exposed by one of its business associates – a California-based record storage firm.
There, unbeknownst to Kaiser Permanente, an unauthorized individual accessed the Kaiser’s records through an email account belonging to an executive from the record storage firm. Marriot was also forced to disclose a breach that involved an unknown third-party using two Marriott employees logins to access 5.2 million customer records.
Finding a single vendor to handle all the technological and business process needs of a modern organization is not likely. Therefore, organizations continue to outsource key functions of their operations such as cloud hosting, human resources information systems, commoditized legal services, accounting, or cybersecurity managed service providers.
Organizations benefit from the increased efficiency, reduced costs, and minimized operational disruption that results from outsourcing these key functions. These benefits also come with risk, the partnership between third parties and service organizations includes joining cybersecurity practices and vulnerabilities. Vulnerabilities exploited with one organization will inevitably impact the partnered organization. Therefore, vendor management should be considered an important element of a cybersecurity program.
What do today’s regulations and compliance frameworks say about vendor management?
Cybersecurity regulators and compliance frameworks reinforce the importance of vendor management in cybersecurity programs. Multiple frameworks require organizations to establish a vendor management program that includes evaluating the confidentiality, integrity and availability risks associated with a third parties’ IT system. Industry standards such as the AICPA’s Statement on Standards in Attestation Engagements (SSAE-18) Service Organization Controls 2 (SOC-2), International Standards Organization (ISO) 27001:2013, and Payment Card Industry Data Security Standard each encompass some version of assessing, managing, and mitigating data risks brought on by third-party providers.
Government regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the European Union’s well discussed General Data Protection Regulation (GDPR) impose legal obligations on organizations to implement strict third-party governance programs typically through the implementation of certain contractual language. Few of the requirements from different compliance frameworks and regulations are listed below:
Service organizations have similar responsibilities pertaining to vendor management under each of these standards. Organizations are required to include certain contractual provisions and conduct ongoing monitoring activities in order to be compliant with their vendor management obligations. Regardless of an organizations’ industry, your vendor management processes will be evaluated in a cybersecurity or privacy compliance assessment.
Implement the basics
Establishing a third-party management program to comply with these regulations and compliance frameworks begins with three implementation steps:
1. Document a third-party management policy. Ensure the policy outlines requirements to onboard, monitor and offboard vendors including the evaluation of the security processes in place at each third-party organization.
2.Identify and classify all third parties that can impact your service. Classify third parties by their potential impact on your organization. For example, if your cloud hosting provider goes down, they are a critical vendor that will impact your service and your customers significantly and should be classified with an applicable high classification.
3.Accountability & Monitoring. Ongoing monitoring is a vital component of any third-party management program. This begins with requiring your third parties to undergo compliance assessments by third-party assessment firms and providing those reports to your organization.
These three steps will jumpstart a vendor management program that aligns with the requirements set forth in common cybersecurity and privacy compliance frameworks. Most importantly, these steps will help organizations reduce the risk associated with third-party partnerships. An organization’s cybersecurity posture is dependent on understanding the risks that threaten them. Third parties are a threat vector that includes access to sensitive data and critical systems. Organizations that do not have a vendor management program in place are flying blind and missing potential threats to their systems’ and customer’s data. A complete cybersecurity program includes third-party management that mitigates the risks associated with interconnected business relationships.