I'd say no to using the AOC in place of a pen test. You may have multiple pen tests needing to be reviewed annually, e.g. corporate network pen test (all internet-facing IP addresses), Product-specific pen tests (each website / application has different functions and vulnerabilities), and security testing of on-premises software.
You will want to request a summary of each of these showing that an external / third party pen tester performed a test, validate the scope, and see how many Critical / High / Med / Low vulnerabilities were found. The vendor should provide an attestation that all findings were remediated within SLA, or show that any findings which were unable to be remediated within their agreed SLA have been entered in a tracker or risk register. You may also choose to open a risk item in your tracker for any of these hanging chads, coming back 3 or 6 months later to confirm closure.
Happy to answer further questions, if this isn't clear. KW
Kate Wakefield CISSP, CIPT, CRISC
Director of GRC
Original Message:
Sent: 8/22/2024 5:34:00 PM
From: Premika Mishra
Subject: RE: Incident Response team vs Third Party Risk Management team
Participation from the TPRM team is important to understanding the breach's scope, the systems affected, and coordinating response efforts with the Incident Response (IR) team. TPRM needs to identify the cause of the breach and evaluate the third party's measures to prevent future occurrences. While the IR team handles the immediate response and recovery, the TPRM team focuses on assessing and managing the risks associated with third-party vendors.
Original Message:
Sent: 08-22-2024 02:17 PM
From: Anonymous Member
Subject: Incident Response team vs Third Party Risk Management team
This message was posted by a user wishing to remain anonymous
I've come across a lot of videos and forums regarding TPRM conducting investigations with third party breaches. Is this because they don't have a dedicated Incident Response team? If you have both, what does TPRM do vs IR?