Other questions to consider: How do we identify who has access? After third parties have access, how quickly can we sever access to our systems and data?
The Driver Behind This
This expands on the previous question from the last post, adding additional granularity to the matter. Specifically, which third parties have access to regulated/sensitive data your organization has been entrusted with? This includes everything from cloud applications to service providers (e.g., HRIS, ERP, CRM systems). It doesn’t matter if the system is onsite managed by a third party (i.e., HVAC system) or hosted offsite (i.e., Amazon Web Services), you need to know who has access to your data (and why?). Accept that an adversary will consider all available attack vectors, to include your providers, business partners and vendors. These are common attack vectors used to gain access to systems as they advance on their objectives.
Processes, Practices, and Activities That Address This Question
We may be repeating ourselves somewhat but having an inventory of all third parties your organization has a relationship and whom you share information with is vital. Make certain that your third-party risk management program is integrated with your procurement onboarding processes and procedures as well. Include a “Right to Audit” clause which includes information security and cybersecurity program components of an entity that you are connected to needs to be clearly defined within a master services agreement and contracts with third parties.
- “Relying exclusively on suppliers to be secure.”
- “Not enforcing the ‘right to audit’ clause with third parties.”
- “Relying solely on industry certification/accreditation without proper due diligence.”