Introduction
With more organizations leveraging products and services from their Third Parties, keeping an oversight on their security posture, performance, compliance to laws & regulations and service level obligations becomes crucial to avoid any breach or incident resulting in a liability and impact on the reputation.
Why is Continuous Monitoring at the core of the TPRM program?
It demonstrates an organization’s continuous efforts and consistent management support to practice continuous monitoring of Third parties. Any disruption to the services provided by the Third Parties can cause a long-lasting impact on the organization in many ways and damage the client’s trust.
The effectiveness of Continuous Monitoring activity is realized by combining a few elements of the TPRM program.
Inventory: An organization can only protect itself and monitor Third Party when there is a robust continuously updated and exhaustive inventory of Third Parties. Key information about the nature of the business, geographical presence, list of critical services offered and availed, number of clients they serve and annual spending can give insights and help derive trends on the volume of Third Parties being on-boarded.
Beyond security due diligence: Conducting comprehensive security risk assessments will certainly identify any and all types of risks from a security standpoint. However, an organization needs to go beyond the gambit of security. Third Parties should be vetted for their compliance with Human rights, Modern Slavery, Environmental Social and Governance initiatives, Anti-Corruption, Market sustenance and geopolitics. Each of these factors has a direct or indirect impact on how positively and negatively it affects the organizations that rely on Third Parties
Well-defined and comprehensive process to practice Continuous Monitoring: Every organization defines and performs continuous monitoring but the process should be well-defined, efficient, repeatable, accountable and auditable, and should have the top management buy-in. Businesses should be made aware of the continuous engagement of security teams with Third Parties to continuously validate the effectiveness of security controls in place.
Well-crafted contracts which include carefully drafted clauses can give a sign of relief when it comes to continuous monitoring as it may involve performing an audit on Third Parties more than once annually depending on the nature of services or products availed. A poorly written contract may not have adequate clauses to safeguard the interests of the organization in unforeseen circumstances and when Third Parties suffer an incident or breach.
Lack of automation: While many small and medium companies (even some large companies) still practice continuous monitoring manually, it is highly recommended to leverage a tool to automate the process which will reduce human error, facilitate communication, generate custom and a variety of reports, maintain an audit trail, reduce dependency on human resource and reduce overhead due to manual activities.
Timely off-boarding and termination: Monitoring the effectiveness of off-boarding is crucial as Third Parties discontinue providing services. Retrieval or destruction of confidential data is imperative to ensure there is no data leak or unauthorized data exposure. Organizations should start the process of off-boarding with enough buffer to ensure activities are carried out seamlessly. For Third Parties who are required to retain confidential information in compliance with applicable regulations, adequate contract clauses should be included to protect confidentiality, integrity and availability.
Many cybersecurity incidents have occurred in the past where off-boarded third parties have suffered incidents related to data leak, hacking and unauthorized data exposure.
Having a comprehensive and well-defined Third Party Risk Management (TPRM) framework will save the organization the time, effort and money to deal with issues of ineffectively implementing continuous monitoring. It has to be performed throughout the lifecycle of Third Party Risk Management.
