Step 1: Identifying third-party security risks
Based on the scope of work, third-party tools and services are allowed access to various systems, resources, network appliances, applications, and data (either stored or in transit). Potential risks accompany access. Determining the security risks in these circumstances can be tricky.
At a high level, organizations should follow these best practices to identify security risks from third-party engagements:
- Recognize risks by conducting a threat model to analyze critical assets in which a third-party tool will interact.
- Analyze entry and exit points for all third-party tools and services.
- Classify risks for third-party tools and applications by performing penetration testing and source code analysis.
- Review all on-site engagements and interactions (e.g., consulting) with the third parties.
- Diagnose additional risks by performing a red teaming assessment for the services provided by third parties.
- Account for any and all open vulnerabilities that are publicly disclosed against the tool or service in use from a third party.
Step 2: Assessing third-party security risks
Evaluation and assessment are important steps to comprehensively mitigate risks. This step prioritizes risks to see them through to mitigation in a time- and cost-effective manner. A risk management program cannot be successful if the assessment of each security risk (based on its impact to the business) isn’t calculated.
To best assess third-party security risks:
- Prioritize the evaluation of critical third-party tools and services to manage the additional assessment cost to the security program.
- Assess the overall potential business impact of each critical third-party tool risk.
- Evaluate the third-party tools or services with the help of a non-biased resource
- Conduct periodic assessments regarding access to authorized and unauthorized resources for third-party tools and services.
Step 3: Mitigating third-party security risks
Identifying and assessing vulnerabilities also requires a mitigation strategy. This strategy is used to reduce the severity of the identified risks and/or remediate them.
Follow these practices to help your organization mitigate and prevent threats and risks posed by third parties:
- Maintain an inventory of all third-party assets, in addition to their interactions with upstream and downstream assets in the organization.
- Advocate asset ownership for each third-party service or tool in the inventory.
- Create and periodically review third-party service level agreements (SLAs) and non-disclosure agreements (NDAs).
- Communicate the risk management approach to the third party and expectations prior to onboarding the tool or service.
- Establish an open channel for communicating threats and risks to the third party.
- Construct risk profiles for each third-party asset. Risk profiles provide an overall impact to the business (e.g., revenue, services, etc.) in case of security risks.
- Implement mitigating controls for securing all third-party entry and exit points.
- Devise a remediation activity timeline for each third-party risk identified during the assessment phase (e.g., include threat modeling, application penetration testing, and source code analysis).
- Centralize and review changes from a third party before distribution to customers and employees.
- Audit security controls implemented by the third party for customer or client data. Data segregation with other organizations is important in case of a breach.
- Take control and ownership of key management, data stores, and other critical assets hosted by the third party.
- Examine authorized and unauthorized access to systems from third-party assets.
- Monitor on-site staff and their activities from a third party.