Information Security

 View Only

  • 1.  Third-Party Cyber Security Control Requirements

    This message was posted by a user wishing to remain anonymous
    Posted 03-15-2023 05:29 PM
    This message was posted by a user wishing to remain anonymous

    We are in the process of trying to establish a third-party control requirements document (either a Framework or Standard) that would define the cyber security controls that our 3rd parties would be required to have. We would utilize this document in our third-party assessment process. How have others handled these requirements and has it been difficult to provide evidence of adherence to these requirements since this is defining what the 3rd parties need to have in place. The concern lies with the 3rd parties that do not trigger a third-party assessment.



  • 2.  RE: Third-Party Cyber Security Control Requirements

    Posted 03-16-2023 03:16 AM

    Hey, In this circumstance we would rely on the security requirements we would have established in the contract; which should give us a right to request evidence of adherence from time to time, like Pentest reports or Third-Party Audits. We would also establish reporting obligations for material security threats, issue or events that could impact our firm.  But we still have the issue that centrally, if we are not requesting and reviewing the adherence we cannot be 100% confident.




  • 3.  RE: Third-Party Cyber Security Control Requirements

    This message was posted by a user wishing to remain anonymous
    Posted 03-16-2023 06:16 AM
    This message was posted by a user wishing to remain anonymous

    I am certainly routing for your success here, but I have reservations on what your success rate will be here because of the potential of the overhead your process would cause your vendors. Mind you, I do not know which industry you are, or how large your organization is. Those two factors certainly impact your success rate. 

    Would your framework speak to strictly internal controls at your vendors, or is your concern regarding the controls for the services/systems they provide to you? Those can be two entirely separate things.

    We send our vendors a custom questionnaire that is designed to fill out the potential gaps that we may not be able to fill when review a vendor's due diligence. Different vendors provide different things. We have vendors that refuse to complete that questionnaire, so I use that as a supporting reason for my reservation regarding your success.

    My approach here would be to seek to map controls that you are able to identify in vendor due diligence, to a control framework. What you use is up to you here, but there are many options. Depending on what industry your vendor targets, you may have more success with with framework over another. 

    I look forward to hearing if you have success in your endeavours.