Leveraging Reusable Content to Expedite
Third-Party Risk Reduction Efforts
Storing your information security content and associated artifacts in a shareable network will stop the pandemonium,
opening opportunities to reduce risk, and face resiliency head on.
“Sharing is caring!” We all heard this phrase growing up and in today’s information security world it still proves to be fundamentally true. I’ve spent the past six years working with companies to influence their third-party risk management program, and encourage the adoption of an economic approach.
As a practitioner, I test techniques to help companies mature their program to meet regulatory compliance requirements. As an advisor, I assess company programs to help organizations step away from processes that prevent them from re-using relevant standard content and design custom evolutionary approaches – all in the spirit of expediting risk awareness for resiliency. Yet still, the concept of information sharing keeps me up at night…
How third-party risk information sharing is evolving
Collectively, industries across the globe are working towards what I call ‘stop the questionnaire pandemonium’ by way of implementing profile-type content gathering. There has been a shift from gathering information about all of a vendor’s operations, to the collection of meaningful content, relevant to the service being provided. At the most mature state we have observed a trend towards simply collecting content specific to key or must have controls. We mustn’t forget that the three most critical aspects to support all risk frameworks and meet regulatory requirements such as NIST, ISO, FAIR, and others is to;
1) Know your companies’ key controls,
2) Share standardized content and artifacts,
3) Identify and track risk closure to better understand risk tolerance.
Seems simple, right? Not always but it can be.
How the Shared Assessments content library can help
The Shared Assessments content library toolset (notice I didn’t refer to a questionnaire) has significantly become the most flexible and reusable content library of information on the planet. The content library literally can be right-sized by profiling to ensure that information collected is relevant for risk management. Furthermore, the sharing of content yields machine learning opportunities to address the top vulnerable security controls.
Implementing a standardized content library approach removes delay and waste from the collection of content and artifacts, making room for risk management. Storing your information security content and associated artifacts in a shareable network will stop the pandemonium, opening opportunities to reduce risk, and face resiliency head on.
To learn more about the best practices to finding greater assurance in your third-party business relationships, join me next week at the 12th Annual Shared Assessment Summit in Arlington, Virginia. I’ll be leading a panel discussion on Risk Framework and Risk Appetite and co-teaching a four-hour workshop session on Cybersecurity and Continuous Monitoring featuring an audience participation third-party risk scenario table-top exercise, among other experts.
Author: Brenda Ferrarro, Sr. Director of Networks, Prevalent Inc.
Read our latest Third Party Risk Management White Paper
What does a comprehensive approach to Third Party Risk Management look like?
How can you and your 3rd Parties work collectively to improve efficiency and streamline the Risk Assessment process?
What tools are available to support this multi-faceted approach?
Download our latest White Paper – A Comprehensive Approach To Third Party Risk Management – to learn more.
The contents of this blog are shared with the kind permission of Prevalent Inc.