Due Diligence and Ongoing Monitoring

  • 1.  Third-Party Monitoring Tool Utilization

    Posted 08-18-2021 05:12 PM
    We are currently working on an effort to enhance our third-party risk management through the utilization of a new third-party/supply chain intelligence tool. We are interested in best practices in this space. Below are some specific questions, but I would appreciate any feedback that you're willing to share:

    1. What process(es) do you currently use for conducting cyber security third-party assessments?
    2. What process or method do you currently use to monitor third-parties?
    3. Are you also monitoring 4th parties?
    4. What tools or partners assist with these processes?

  • 2.  RE: Third-Party Monitoring Tool Utilization

    Posted 08-25-2021 03:19 PM


    While there is much more information than we can provide in this format, here are some high-level best practices.

    For conducting cybersecurity third-party assessments, as a general best practice, we recommend that a credentialed information security analyst conducts these reviews; known credentials include CISA, CISM, CRISC, or CISSP. Cybersecurity assessments should be managed within the context of your organization's business objectives and the product or service your third party is providing. The assessments should review the third-party's control environment against a nationally recognized standard such as NIST or ISO 27001. Additionally, there are industry-specific standards such as PCI DSS and UL 2900.

    To monitor third parties, you must monitor both risk and performance. Risk monitoring should involve structured processes such as an annual risk review that requires the third party to update your due diligence questionnaire if there have been any changes and provide new supporting documentation or confirmation that the documents previously provided are the most current. SMEs should review the updated documents and questionnaire with the same rigor applied during initial due diligence and provide formal written opinions of the third party's control environment, noting any gaps or identified issues requiring remediation.

    Ad-hoc risk monitoring should also take place in the form of news alerts or updates and alerts from a paid monitoring service. Additionally, your Third-Party Risk Management organization should stay up to date on new or emerging risks within specific industries and geographies. Performance monitoring should take place on a regular basis -we recommend quarterly for Critical and High-risk Vendors. Monitoring performance against stated KPIs and SLAs is preferred.

    Regarding monitoring fourth parties, your third party is responsible for monitoring those vendors they do business with. However, your third party should disclose to you which of their vendors are material to support the product or service to your organization. In the case of Critical and High-risk vendors, you should require this disclosure in your contract and require that the list is refreshed as part of annual risk monitoring. Additionally, you must require your third party to inform you when there is a risk or performance issue with those fourth parties' material to providing your product or service.

    I hope that is helpful. Of course, I would encourage other members to share their thoughts.