How to Manage Third-Party Risk Before, During, and After Signing a Service-Level Agreement

One of the great things about events such as the Next-Generation Security Summit is the opportunity to network and share information with security leaders from multiple industries. In recent sessions, third-party risk has been a particularly hot topic.

In the banking industry, this discussion is being driven in large part by the US Office of the Comptroller of the Currency, which recently updated its risk management guidance for third-party relationships. In health care, the requirements of the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act, and the final HIPAA Omnibus ruling dictate that all custodians of protected health information—including business associates—must uphold the same security and privacy obligations.

Whether they are being driven by compliance or a greater appreciation of risk in their respective supply chains, security leaders must have a much higher awareness of third-party risk today. Based on these discussions of third-party risk, the following are five key aspects to managing risk before, during, and after a service-level agreement is signed:

Before the Agreement Is Signed

Leading up to a new third-party relationship, one of the most important considerations should be that security, privacy, compliance, and risk are not left to the final hours before signing. On the contrary, best practice is to establish a partnership between procurement, vendor risk management, IT, security, and legal staff from the beginning of the third-party engagement. This cross-function partnership is vital to ensure the following:

  1. Aligned Business Objectives: Both parties should have a common understanding of the business objectives for the relationship and the intended value of the third-party process or service.
  2. Security Controls: Required security controls should be included in the request for proposal, and the security team should be involved in reviewing each response.
  3. Assessment Criteria: Criteria for assessing the risk of third-party vendors and service providers should be clearly defined.
  4. Language Standards: Define the contractual language to be included in each third-party agreement.
  5. Integration Considerations: Details of IT integration and configuration with third-party systems should be included in each third-party agreement.

During the Negotiations

Whether using the third party’s agreement or the organization’s own master agreement, the following topics deserve explicit focus and attention:

  1. Data: Discuss how data is handed off; where data is located; how and why data is retained; and how data is destroyed.
  2. Ongoing Assessments: Establish the right to audit; to conduct risk assessments; to pen test and/or access to pen test results; and to conduct onsite visits.
  3. Business Continuity: Flesh out data center facilities, which may include fourth parties; plans and tests for disaster recovery (DR); and plans and tests for incident response (IR).
  4. Contract Termination: Outline the means to gracefully end and transfer the process or service back to the organization or to another third party.
  5. Hidden Costs: For example, find out whether unauthorized access or distributed denial-of-service attacks are defined as “Force Majeure” and therefore out of the third party’s responsibility or whether there are significant restrictions and/or costs to the organization for exercising the right to audit.

After the Agreement is Signed

Signing a service-level agreement is not the end of managing third-party risk. The third-party posture and relationship should be reassessed on a regular basis, particularly whenever there is a change in the scope of the agreement, a material change in technology, or a security incident. Items to incorporate in such periodic assessments include the following:

  1. Assessment Context: For instance, who performed the assessment, when, and how. Was it remote or onsite? Was documentation received? Were there independent reviews? There should also be a listing of previously identified risks and recommended steps to mitigate them.
  2. Onsite Visits: Document the scope, objectives, and results of the onsite visit.
  3. Review of Security Controls: Note the technical, administrative, and physical controls.
  4. Review of Business Continuity: Review DR plans, IR plans, outcomes of tests, outcomes of independent testing, and certifications.
  5. Analyst Opinion: Seek objective insight and recommendations on the assessment and any residual risks associated with the third party. This is just one way to enumerate some of the most important items. In larger organizations, there are teams of people who are focused specifically on these important matters.

By ensuring standards are upheld at each stage of creating a service-level agreement, third-party relationships with other vendors can be an asset to an organization, not a liability.

No Comments