A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance
This data security and compliance methodology is based on examining third-party vendors against the development of a three dimensional risk based model. The final deliverables of the risk impacts, findings, enterprise requirements, and remediation are presented quantitatively.
A number of professional surveys indicated that information technology and security managers, directors and executives reported significant data breaches linked directly or indirectly to third-party access. Unfortunately, these security breaches are trending upwards. In addition, there is an absence of a structured and quantifiable methodology to measure the third-party risks on an enterprise, as well as what are the expected requirements from the third-party to substantiate the evidence that sound risk management practices are in place.
Types of risk a third-party may have on an enterprise when third-parties store, access, transmit or perform business activities. It represents a probable risk exposure for the enterprise. The degree of risk and the material effect are highly correlated with the sensitivity and the transaction volume of data.
Outsourcing certain activities to a third-party poses potential risk to the enterprise. Some of those risk factors could have adverse impacts in the form of, but not limited to, strategic, reputational, financial, legal or information security issues. Other adverse impacts include service disruption and regulatory noncompliance.
Examples of third-parties’ services include, but are not limited to, technology service providers; payroll services; accounting firms; invoicing and collection agencies; benefits management companies; consulting, design and manufacturing companies. Most third-party commercial relationships require sending and receiving information, accessing the enterprise networks and systems, and using the enterprise’s computing resources. The risk posed at different levels and the impacts range from low to very significant.
Program and project managers may adopt this methodology presented in its entirety or adjust it to fit enterprise uniqueness then build their own PMBOK process groups and knowledge areas.