R I S K

MANAGING
T H I R D - PA RT Y
RISK
Cyberrisk Practices for Better Enterprise Risk
Management
2 MANAGING THIRD-PARTY RISK

CONTENTS
4 Introduction
5 Key Definitions for Third-party Risk
5 Third-party Governance
5 / Third-party Management Roles
6 / Enterprise Procurement
6 / Third-party Data Handling Agreement
6 / Third-party Metadata
7 Third-party Risk Assessment Process
7 / Third-party Risk Triage (Inherent Risk
Assessment)
8 / Third-party Data Classification
9 / Third-party Administrative
Assessment
9 / Contract
9 / Penetration Testing (Pentest)
Results
9 / Accreditation, Certifications and
Other External Audit Reports
10 / Internal Audit Reports
10 / Policy Review
10 / Data Flows
11 / Open Issues (From Previous
Assessments)
11 / Incidents
11 / Control Questionnaire
11 / Third-party Onsite Assessments
12 / Technology-aided Reviews
13 Risk Analysis
14 Threat Modeling
15 Determining Risk Ratings
16 Assessment Closeout and Ongoing Monitoring
17 Conclusion
18 Acknowledgments

© 2019 ISACA. All Rights Reserved.

3 MANAGING THIRD-PARTY RISK

ABSTRACT
Many enterprises rely on third-party vendors to help facilitate the delivery of products and
services to their customers. However, these relationships come with risk. Data privacy
must be a top priority in these relationships. Ultimately, the enterprise is accountable for
the protection of its data; therefore, enterprise vendor risk management must ensure a
safe and healthy relationship with suppliers. Enterprises must also have sound
governance, which includes business and technical requirements to ensure due diligence
in the protection of the enterprise and its customers’ data. A robust third-party risk
management program includes the integration of risk management processes into
enterprise and IT business practices. This white paper provides you with best practices to
help manage enterprise third-party risk.

© 2019 ISACA. All Rights Reserved.

 4 MANAGING THIRD-PARTY RISK

Introduction
End-of-year holiday shopping is critical for retail party risk; it left many wondering which third parties on
businesses. As a result, there is a lot of emphasis on their networks could cause a similar breach. The link
ensuring that business operations are working flawlessly, between the retailer and its HVAC third party allowed
including an enterprises’ credit card processing systems. clever adversaries to infiltrate the retailer’s network, infect
During this critical time of year in 2013, a landmark third- the retailer’s systems and extract millions of records. The
party cyberrisk incident occurred at a large US-based breach not only raises questions about how much an
retailer. A phishing campaign infected the retailer’s enterprise really knows about its third parties, the controls
heating, ventilation and air conditioning (HVAC) contractor that they have in place, the effectiveness of the controls
with the Citadel trojan, which enabled attackers to gain full and the nature of risk acceptance in third-party
control over the contractor’s systems. After a few lateral contracts—it also creates fear about what can go wrong.
moves and pivoting techniques, the hackers discovered
that this HVAC contractor had access to the retailer’s The breach established a dominant narrative for many
business executives considering their enterprises’ third-
billing and project management systems.1 1

party risk; it left many wondering which third parties on

their networks could cause a similar breach.
Like many enterprises, the retailer’s network segmentation
was limited, and attackers exploited the lack of tollgates Enterprise executives are concerned about the lack of
to traverse the retailer’s network and locate some point-of- complete information on third-party vendors, data and
sale (POS) systems. The attackers installed the BlackPOS systems that the enterprise accesses in the course of
malware, which steals credit card data, on some of the vendor engagements. This concern has driven many
retailer’s integrated Windows -based POS terminals. The
® enterprises to consider third-party risk management one
attackers did a trial run during one of the busiest holiday of the top priorities of their cybersecurity programs,
shopping weekends on a few POS terminals and were because customers do not regard the enterprise as a
pleased with the results. Over the next two days, before separate entity from its third parties. Therefore, third-party
the end of November, the attackers successfully deployed risk is enterprise risk.
the BlackPOS malware to a majority of stores and were
This white paper provides third-party risk best practices
actively collecting credit card data.2 2

covering governance issues (such as contracting,

This data breach became one of the largest on record, procurement and metadata mapping), forms of third-party
affecting around 100 million customers and costing the risk assessment (including administrative, onsite and
retailer over US$200 million. Much of the cost reflected technology-based assessments), integration into a risk
reimbursements to issuing banks for replacing analysis process, and closeout and monitoring activities.
compromised credit cards and settling class action By following the guidelines in this white paper, an
3
lawsuits from the breach. 3
enterprise can improve its third-party risk management
program and avoid headlines for a third-party breach.
The breach established a dominant narrative for many
business executives considering their enterprises’ third-

1
1
Krebs, B.; “Target Hackers Broke in Via HVAC Company,” KrebsonSecurity, 5 February 2014, https://krebsonsecurity.com/2014/02/target-hackers-broke-
in-via-hvac-company/
2
2
Krebs, B.; “A First Look at the Target Intrusion, Malware,” KrebsonSecurity, 15 January 2014; https://krebsonsecurity.com/2014/01/a-first-look-at-the-
target-intrusion-malware/
3
3
Consumer Bankers Association (CBA), “Cost of Target Data Breach Exceeds $200 Million,” 18 February 2014, https://www.consumerbankers.com/cba-
media-center/media-releases/cost-target-data-breach-exceeds-200-million

© 2019 ISACA. All Rights Reserved.

 5 MANAGING THIRD-PARTY RISK

Key Definitions for Third-party Risk

This white paper uses the term third party to denote an parties, although not all the same controls and ability to
enterprise that is hired by another enterprise to influence exist. Also, during any merger and acquisition, it
accomplish the terms set forth in a legal contract. Third is often prudent to treat the parties as third parties to each
party is synonymous with vendor. The term fourth party other when conducting due diligence, until the merger or
indicates any third party of a third party. acquisition is complete.

Some enterprises—including government-sponsored This white paper uses terminology from the Open FAIR™
enterprises (GSEs)—provide obligatory access to certain standard4 to ensure clear communication of terms and
4

governmental or quasi-governmental organizations. For consistent use of concepts in enterprise risk calculation.5 5

simplicity, these organizations are treated here like third

Third-party Governance
The importance of having a complete list of all third needs, and the general level of access necessary to
parties of an enterprise cannot be overstated. There is no execute the job. The business owner role commands the
worse scenario than receiving notification from an leverage with the third party to compel it to take security
unknown third party that they experienced a breach seriously. This leverage often results in compelling
affecting the enterprise. The Center for Internet Security ® remediation activities and responses to any control
(CIS ) top 20 critical security controls (CSCs)—also known
® deficiencies that might be uncovered. A business owner
6
as CIS Controls or the SANS top 20 —cite inventory of
™ ™ 6
tends to own the contract and often signs it, and initiates
approved hardware and software as the first two security contract modifications that are necessary to support
controls. No third party is reducible to hardware or increased security posture.
software—but inventory management for enterprise third
For large enterprises that may have several contracts with
parties is covered in these critical controls. To ensure
a single third party, the relationship manager role often
accuracy of third-party lists, the key control is clearly
has overall accountability for the entirety of the third-party
defining enterprise roles responsible for each aspect of
relationship. This role is similar to the business owner, but
the third-party engagement life cycle.
requires greater understanding of the overall third-party
scope of work. The relationship manager must have
Third-party Management Roles sufficient expertise and authority commensurate with the
Typically, a third party provides services or products for risk and complexity of goods and services offered by the
one person, who is often referred to as the business third party. The relationship manager’s primary vehicle for
owner in the enterprise. This role defines duties or control is the master services agreement (MSA). This
deliverables from the third party, and often pays the third- legal agreement documents the terms and conditions
party fees. This very critical role requires deep under which the enterprise and the third party interact and
understanding of the third party’s function and/or actions details overall control paradigms that are uniform across
on behalf of the enterprise, the data that the third party all subordinate contracts. The MSA often mandates

4
4
The Open Group®, Open FAIR™ (Factor Analysis of Information Risk), https://publications.opengroup.org/editors-picks/open-fair
5
5
The Open Group, Risk Taxonomy (O-RT) Version 2.0, 18 October 2013, https://publications.opengroup.org/c13k
6
6
Center for Internet Security, “CIS Controls™,” https://www.cisecurity.org/controls/; Sans™ Institute, “The CIS Critical Security Controls for Effective Cyber
Defense,” https://www.sans.org/critical-security-controls/

© 2019 ISACA. All Rights Reserved.

6 MANAGING THIRD-PARTY RISK

deployment of large-scale cybersecurity controls. Through

Enterprise Procurement
the relationship manager, the enterprise must ensure that
Enterprises differ in the ways they approach purchasing of
third parties have a written information security program
third-party services. Some enterprises allow business and
(WISP) and business continuity plan (BCP) based on
technology leaders to purchase whatever services they
industry-recognized security frameworks.
need, provided they execute those purchases through a
The relationship manager must have sufficient expertise central system or enterprise support group to ensure that
and authority commensurate with the risk and complexity the proper process is followed. Other enterprises restrict
of goods and services offered by the third party.
purchasing to a centralized procurement group that
To ensure that a third party has access to all required IT purchases services on behalf of the business and
resources in an enterprise, business owners and technology leadership teams. Centralization is critical in
relationship managers often engage with internal procurement to ensure a complete inventory of third
technology partners who perform the critical role in parties. By applying the financial control of centralizing
service fulfillment and in limiting access to nonauthorized purchases, the information security team gains a
persons. This role often includes one or more technology complete inventory of third parties used throughout the
professionals from different parts of the IT organization, enterprise. Centralizing purchases also holds business
including information security. leaders accountable for ensuring that the appropriate
technology connections are made for their third parties
Many enterprises also have an administrative role that
and enables technology partners to ensure that the
enables third-party procurement. This role encompasses
connection requests they receive are for authorized third
procurement and accounting systems, and may gather
parties only. The third-party inventory should be structured
approvals within the enterprise and/or request specific
and centrally stored in a way that supports reuse,
technology access to enable the third party to accomplish
appropriate access and (ideally) automated processing.
its roles. These procurement professionals have a
comprehensive view of the entirety of an enterprise’s third
parties and recommend consolidation of third parties in Third-party Data Handling
certain areas to ensure there is adequate leverage to gain Agreement
the best pricing possible.
Managing third-party risk has a strong technology focus.
The final role is the legal team, which includes the privacy For example, opening firewall ports to enable third-party
team. Formally reviewing and approving legal language access, provisioning virtual desktop infrastructure (VDI)
on behalf of an enterprise requires not only appropriate and processing large data transfer requests are processes
licensing to practice law on behalf of an enterprise, but that should be accommodated only for third parties on
also the ability to ensure that appropriate protections are the approved third-party list, and only when appropriate
in place to safeguard enterprise reputation and treasury. data handling agreements have been executed as part of
This role cannot provide appropriate subject matter the authorization. The agreements ensure that data are
expertise regarding the nature of the contract and the transmitted in the context of appropriate legal and privacy
work to be done, so the business and technology protections and proper information security controls.
professionals, including cybersecurity professionals, may
need to participate in contract review to become familiar
Third-party Metadata
with the terms of the deal and to suggest edits where
It is often useful to collect metadata about third-party
appropriate.
engagements to support not only cyberrisk assessments,
but also other types of assessment. For example, knowing

© 2019 ISACA. All Rights Reserved.

7 MANAGING THIRD-PARTY RISK

the data types and volumes that third parties store, • Type of data elements that each third party accesses, including:

process and transmit helps an enterprise understand the • Tax identification numbers

role of the third party. Tracking the country in which data • Genetic information

are manipulated helps ensure compliance with data • Health billing codes

privacy laws and other legal and contractual obligations, • Countries where a third party processes data or moves data

and also helps the enterprise maintain current data-flow • Platforms for processing data, i.e., local computing resources or

documentation—all essential information for assessing a cloud server (including, as applicable, the specific cloud)

enterprise risk. The ability to query specific data elements that third
parties access is critical to the third-party risk triage
Ideally, metadata should be correlated with records of
process.
authorized third parties and stored in a central database
that supports ad hoc queries. An enterprise could query
the database for information, such as:

Third-party Risk Assessment

Process
The third-party risk assessment process ascertains the
Third-party Risk Triage (Inherent
risk to the enterprise from engaging with a third party and
the impact of that risk on enterprise objectives. Three
Risk Assessment)
assumptions can be made about the third-party risk The triage process was created for battlefield injuries, to
assessment process: sort injured soldiers into groups based on the severity of
their injuries, and it can provide a rough framework for
• The enterprise always knows more about its own computing
the third-party risk triage process. Essentially, such triage
environment than about its third parties.
activity was meant to sort soldiers roughly into three
• Third-party responses to enterprise inquiries about security
groups:
programs carry a necessary veil of abstraction to help

safeguard the third party from undue harm, such as targeted • Those who would live, regardless of what doctors did

attacks by insiders. This veil is similar to the one that an • Those who would die, regardless of what doctors did

enterprise applies to its responses to security-program inquiries • Those who might live if they received immediate attention

from customers; an enterprise provides high-level information A third-party risk triage process does not need to be quite
about its security program, but rarely reveals specific so intense, but the same basic rules can apply. If an
information. enterprise has limited resources to conduct third-party
• Most enterprises have many third parties that may not require a reviews, it can prioritize third parties based on risk, and
security assessment. For example, office supply companies are ration resources to those third parties that should get the
not likely to pose an information security risk to an enterprise. A most attention to help stave off grave risk. The triage
risk triage process is required to determine the appropriate level process—also called a third-party inherent risk
of engagement for each third party. assessment—groups third parties into three categories
according to potential risk:

© 2019 ISACA. All Rights Reserved.

8 MANAGING THIRD-PARTY RISK

1 Third parties that receive no reviews (no further assessments) 6 Will this third party have the ability to move money, make
2 Third parties that receive an administrative review, such as a investments or otherwise commit money to be spent on behalf
questionnaire and/or a scan of the enterprise?
3 Third parties that receive a significant review, such as an 7 What is the business criticality of the systems in use or affected
administrative review plus an onsite evaluation by this third party?

To determine the inherent risk that a third party can pose, 8 If the systems/services provided by the third party go offline, is

the enterprise evaluates third-party demographic data and the enterprise required to notify regulators or pay fines to its

the nature of the third-party relationship it has or will have. customers?

This evaluation necessitates understanding: 9 Is the enterprise required to produce and/or submit evidence of

regular review of the systems affected by this third party to

• Terms and conditions of the contract with the third party
regulators and/or auditors?
• Criticality of third-party services or products relative to

enterprise business objectives

This list represents common, basic questions that an

• Volume and nature of data shared with the third party (which
enterprise may want to ask. An enterprise should develop

factors are of particular importance)

new questions (and/or adapt the example) to suit its
specific environment and needs. Some enterprises may
Control-based questions are delayed until later to allow for
include privacy-related questions to gain a better
a pure evaluation of the risk that the third-party
understanding of the nature of the relationship and, if
relationship poses to the enterprise. The risk triage
appropriate, may refer the third party to a privacy group
questions focus on evaluating the two relevant parts of
that will conduct or update a privacy impact assessment
the risk equation:
(PIA). The following basic privacy triage question can be
• Frequency of loss events
used for that purpose:
• Magnitude of losses if they occur
10 Will this third party be asked to contact individuals or store their
The following sample questionnaire for third-party risk
data for marketing purposes (browsing or online-interaction
triage helps assess the potential for threat actors to cause
information, email, phone, mail, text, etc.)?
loss and any related impact to data confidentiality,
The third-party risk triage—combined with data
integrity and availability.
classification, as discussed in the following section—
1 Does the use of this third party involve any external-facing
should form the basis of an inherent risk assessment of
systems (including cloud)?
enterprise third parties, so that the enterprise can
2 Will this third party subcontract enterprise work to any fourth
undertake the appropriate level of formal risk assessment.
party, use offshore resources, or provide or consume data feeds

to/from external partners?

3 Will the use of this third party introduce any net new
Third-party Data Classification
technologies to the enterprise? Many of the questions in the previous section cover the
4 Will this third party introduce any new functions for an existing confidentiality, integrity and availability (CIA) triad7 In order 7

system? to document all data types used by a third party—a critical

5 How many records will this third party store, transmit or complement to the CIA factors—enterprises should
process, and of which type (e.g., tax identification numbers, develop a specific, dedicated data-classification
credit cards, dates of birth, financial account numbers, driver questionnaire (which can be reused in other risk
license numbers, email addresses, health information and assessments). When answering data-classification
similar sensitive data)? questions, respondents ideally will not choose the data

7
Regarding confidentiality, integrity and availability security triad, see Sundaram, J.; "The Benefits of the Statement of Applicability in ISMS Projects,"
ISACA Journal, 2017:3, https://www.isaca.org/Journal/archives/2017/Volume-3/Pages/the-benefits-of-the-statement-of-applicability-in-isms-projects.aspx.

© 2019 ISACA. All Rights Reserved.

9 MANAGING THIRD-PARTY RISK

classification directly—e.g., confidential or personally obligated to perform on behalf of the enterprise. Contracts
identifiable information (PII). Instead, the respondent will can include the MSA and/or any other special project
indicate the specific data elements that are in use; the agreements that are in place, including, for example,
questionnaire applies logic and derives the classification statements of work (SOWs). The enterprise should verify
for them. For example, respondents select Social Security that there is a right to audit clause; if no such clause
number, driver license number, health diagnostic codes or exists, the enterprise may be very limited as to what it can
mental health records. These data types can be correlated do in the assessment.
with the appropriate category and classification labels
(e.g., PII and confidential). This approach gives the Penetration Testing (Pentest) Results
enterprise the added benefit of an inventory of the data
The enterprise should ask the third party for detailed
types in use by the enterprise and indicates to which third
pentest results (although the enterprise may not be able
parties the data are being transmitted. This information is
to get them, or may receive only redacted or summary
critical for compliance with certain privacy regulations
versions). If the enterprise does not receive pentest
and some customer contracts (for example, a contract
results, this fact is included in the issue management
may state that certain data types cannot be sent
process. Pentest results are assurance, from either a third
offshore). This inventory is also helpful if the third party
party conducting the pentest or the unbiased output of a
incurs a data breach. One of the first questions that an
software tool, that the systems are as secure as
enterprise may want to ask is, “What data do we have
warranted. For any significant adverse findings from these
there?” Not having the answer to this question puts an
results, the enterprise asks for assurance from the third
enterprise at greater risk if a breach occurs.
party that the findings were resolved. Some third parties
may share pentest reports, but only for external systems—
Third-party Administrative e.g., those with external Internet Protocol (IP) addresses.
Finally, it is important to know against which risk
Assessment
scenarios these kinds of controls protect (that is, against
For third parties that fall into the first triage category—i.e.,
external attackers versus insiders).
no further review—the only assessment requirement is to
monitor the third parties to see if anything changes. An
Accreditation, Certifications and Other
annual review of these third parties is recommended;
business owners are responsible for accurate answers to
External Audit Reports
the risk questions and should inform the enterprise if This assessment category includes a statement provided
anything changes that brings the third parties into scope by an external auditor attesting to the third-party’s state of
for further action. security upon which the enterprise can rely—for example,
an ISO 27001 registration, which can be verified on the
For the second category—i.e., administrative
issuing organization’s website. It may also include:
assessment—a range of steps will help the enterprise gain
• Statement on Standards for Attestation Engagements (SSAE)
comfort without sending staff to third-party offices for a
No. 16 reports
review. The following subsections cover documentation
• Service Organization Control (SOC) type 1 or 2 reports
that can be reviewed, along with key considerations for
• Payment Card Industry Data Security Standard (PCI DSS)
each category.
testing results

Some third parties have HITRUST® certification, while

Contract
others get a generic statement from an external auditor
Reading the contract that is in place with the third party
regarding their adherence to standards, including:
gives insight into the work the third party is contractually

© 2019 ISACA. All Rights Reserved.

 10 MANAGING THIRD-PARTY RISK

• US National Institute of Standards and Technology (NIST), Policy Review

Special Publication 800-53 Revision 4, Security and Privacy
An enterprise should ask for copies of third-party security
Controls for Federal Information Systems and Organizations8 8

policies and standards. Because terminology differs

• NIST, Framework for Improving Critical Infrastructure
between enterprises, it is best to ask for any security
Cybersecurity, Version 1.19 9

governance documents that dictate where security

• SANS™ CIS® Critical Security Controls (SANS Top 20)10 10

controls (technical, physical and administrative) are

• Health Insurance Portability and Accountability Act of 1996
required. Some third parties are happy to share these
(HIPAA) and associated regulations11 11

documents with an enterprise (assuming a properly

• Federal Information Security Management Act of 2002, Federal
executed nondisclosure agreement). Other third parties
Information Security Modernization Act of 2014 (FISMA)12 12

refuse to share policy documents, arguing that it may

• North American Electric Reliability Corporation (NERC)
compromise them or their other customers. Some third
Reliability Standards13 13

parties may restrict how they share—for example, by

• COBIT® 201914 14

allowing an enterprise to view only a physical copy, but no

Whatever accreditations a third party offers, an enterprise digital copy. When an enterprise encounters pushback
examines carefully the scope statements therein. Some from a third party, the enterprise should ask for the written
accreditations cover everything in the third party, while information security program (WISP) as required in the
others are tailored to certain operations, physical contract, and any high-level security statements approved
locations or services. If these scopes or service levels do by the third-party board of directors or other governance
not align with the enterprise use cases for the third party, bodies. At the very least, an enterprise should have the
they are not relevant. New tools—called exchanges— third party attest that it has such governance documents
aggregate third-party data, including security and privacy in place, and that they cover key areas specific to the
certifications and accreditations, recent incidents, and enterprise use of that third party (access control, business
other relevant data, so that an assessor can quickly continuity, etc.).
understand how data are protected without sending an
assessment to the third party.
Data Flows
An enterprise should ask the third party for data flow
Internal Audit Reports
diagrams, which outline not only where enterprise data
An enterprise should also ask the third party for copies of comes into the third party (data feeds, manual loading,
its internal audit reports. These reports represent an etc.), but also into which systems data flow (including
independent review of security, albeit not as reliable as if systems of any fourth parties). These diagrams give
they came from an external auditor. The same caveats enterprises the most complete picture of what scope of
apply as in the accreditation section; the reports may be controls is needed and where risk can be introduced.
redacted and the enterprise should check the scope
statements for applicability.

8
8
US National Institute of Standards and Technology, NIST Special Publication 800-53 Revision 4, April 2013,
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
9
9
NIST, Framework for Improving Critical Infrastructure Cybersecurity, 16 April 2018, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
10
10
Op cit SANS™ Institute
11
11
US Department of Health and Human Services, Health Insurance Portability and Accountability Act, https://www.hhs.gov/hipaa/for-
professionals/privacy/laws-regulations/combined-regulation-text/index.html
12
12
US Department of Homeland Security, Federal Information Security Modernization Act, https://www.dhs.gov/cisa/federal-information-security-
modernization-act
13
13
North American Electric Reliability Corporation, https://www.nerc.com/pa/Stand/Pages/default.aspx
14
14
ISACA, COBIT® 2019, USA, 2018, http://www.isaca.org/COBIT/Pages/default.aspx

© 2019 ISACA. All Rights Reserved.

 11 MANAGING THIRD-PARTY RISK

Open Issues (From Previous Assessments) party has done what any reasonable enterprise would do
to ensure its data are protected. Third parties in this
If the enterprise has assessed the third party before, it
category undergo an administrative assessment and an
reviews the work papers from the previous engagement,
onsite assessment.
looking for follow-up activity and closure of findings in the
interim. Lack of action can indicate lack of commitment to An interviewing style should be cultivated to help third
secure the third party’s environment. The enterprise asks parties assessors understand some nonverbal responses
its business owners to sign off on any risk associated that may be given to inquiries, how to interpret them and
with third-party control deficiencies from this and any which questions can aid in gathering information.19 The 19

previous engagement. enterprise must be careful to not interrogate third parties,

but simultaneously be thorough with its evaluation.
Incidents
Onsite third-party assessments typically include an in-
An enterprise should search the news for any incidents person review of items listed in the administrative
involving a third party and ask pointed and targeted assessment section, although that review typically
questions about the incidents to ensure there is happens ahead of time, and onsite discussion focuses on
appropriate follow-up and that the enterprise is not any documents or specific responses that are particularly
exposed. There are many tools available that can search revealing.
for this information and help to automate the process.
It is customary to have a data center walkthrough while
conducting the onsite review. The walkthrough typically
Control Questionnaire
allows enterprise assessors to see physical controls and
An enterprise develops its own control questionnaire that
learn how the third party conducts itself when dealing with
allows it to gain assurance that proper controls are in
guests. Relevant questions include:
place to protect the enterprise and its data and services.
• Are guests required to show ID?
There are service providers that can assist with this
• Are controls in place to confirm that guests have an
questionnaire. As the Accreditation, Certification and
appointment with appropriate third-party personnel that day, or
Other External Audit Reports subsection touched on, there
are they allowed to walk around freely?
are many control frameworks to guide an enterprise, such
as the Cloud Security Alliance® (CSA) Consensus Enterprise assessors may ask to see areas where data are
Assessments Initiative Questionnaire (CAIQ)15 , Shared 15
processed. For example, if the third party takes calls from
Assessments SIG16 , NIST 800-5317 and ISO 2700218 .
16 17 18
customers on behalf of the enterprise, an assessor should
ask to see those areas and observe how the third party
manages the staff and the enterprise data there.
Third-party Onsite Assessments Assessors should physically follow the data flows laid out
Third parties that fall into the third risk triage category— in the data flow diagram, tracing the data path throughout
i.e., onsite assessment—warrant a more in-depth review, the third party.
because there is significant risk to the enterprise if that
Many third parties try to limit an assessor’s time to just
third party were to fail in some way. An enterprise
the data center; others (as is often the case with cloud
performs additional due diligence to ensure that a third
15
15
Cloud Security Alliance, Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update), https://cloudsecurityalliance.org/artifacts/consensus-
assessments-initiative-questionnaire-v3-0-1/
16
16
Santa Fe Group, “Standardized Information Gathering (SIG) questionnaire,” https://sharedassessments.org/sig/
17
17
Op cit NIST, Special Publication 800-53 Revision 4, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
18
18
International Organization for Standardization (ISO), Information technology — Security techniques — Code of practice for information security controls,
ISO/IEC 27002:2013, October 2013, https://www.iso.org/standard/54533.html
19
19
Freund, Jack; “Using Behavioral Interview Techniques to Assess Supplier Security Posture,” The Risk Doctor, 1 October 2014,
https://riskdr.com/2014/10/01/using-behavioral-interview-techniques-to-assess-supplier-security-posture/

© 2019 ISACA. All Rights Reserved.

 12 MANAGING THIRD-PARTY RISK

providers) try to prohibit the assessor from visiting the • Upload documents

data center entirely. In the former case, assessors should • Complete questionnaires

insist on visiting other locations, or even rotate site visits • Score third-party responses

over time, looking at the data center one time, and the call • Notify the enterprise of next steps (such as manual review of

center another time, etc. In the latter case, if an onsite visit uploaded files)

to the data center is prohibited outright, the assessor • Schedule an onsite review

must decide whether to recommend dropping the third Some vendors provide staff to conduct onsite reviews for
party to business owners, or continue the relationship the enterprise, to augment the capabilities of enterprise
with a qualified statement in a risk acceptance that the staff. Other vendors offer a repository of completed third-
enterprise is unable to conduct onsite validation. Such party assessments.
cloud providers typically point to the sheer number of
For providers with many customers, responding to a
clients they have and indicate that they simply cannot
bespoke assessment from each can be prohibitively time-
accommodate that number of onsite visits. Typically, they
consuming. Instead, some third parties opt into a
also provide some alternative documentation to show that
voluntary association where they complete one
they have third-party verification of their controls, so
assessment and make the results available to all
further assessment is unnecessary.
organizations that need them. The Cloud Security
Many third parties try to limit an assessor’s time to just Alliance® (CSA) offers a version of this service for cloud
the data center; others (as is often the case with cloud service providers, called the Security, Trust and Assurance
providers) try to prohibit the assessor from visiting the
data center entirely. Registry (or STAR Registry).20 The Santa Fe Group also
20

has a questionnaire framework called the Standardized

For enterprises that are trying to stretch their third-party Information Gathering (SIG) tool, although with no central
risk assessment budget, instead of physically flying staff repository for sharing.21 Other vendors offer opt-in
21

to various third-party locations, they take advantage of information sharing repositories, such as the
technology, conduct their interviews over videoconference Vendorpedia™ Third-Party Risk Exchange, which houses a
equipment and request virtual walkthroughs via video. collection of independently gathered information about a
Some enterprises hire national firms to conduct their company and contributed items.22 It can also include the
22

onsite reviews for them, or leverage other enterprise staff results of onsite assessments to significantly expedite an
in the area to avoid travel charges and limit the impact on assessment process.
assessment personnel.
Lastly, there are several online repositories of incidents
that an enterprise can search to determine whether any
Technology-aided Reviews relevant events affect a given third party (many third-party
Software vendors can assist with the third-party risk software services include these as well). One such free,
assessment processes in several ways. Many nonprofit service is the Privacy Rights Clearinghouse,
applications facilitate assessments by increasing which makes thousands of public data-breach records
automation. For example, if an enterprise solicits available for searching.23 There are also paid services,
23

documents from third parties, or gathers responses to a such as Risk-Based Security Cyber Risk Analytics
questionnaire, a software-as-a-service (SaaS) vendor may (formerly the free Datalossdb service)24 and OneTrust’s
24

offer services to: DataGuidance.25 25

20
20
Cloud Security Alliance, “CSA Security Trust Assurance and Risk (STAR),” https://cloudsecurityalliance.org/star/
21
21
Op cit Santa Fe Group
22
22
Vendorpedia, “The World’s Only Security and Privacy Third-Party Risk Exchange,” OneTrust, www.vendorpedia.org/
23
23
Privacy Rights Clearinghouse, “Empowering Consumers. Protecting Privacy.,” www.privacyrights.org/
24
24
Cyber Risk Analytics, “Actionable Vendor Risk Management,” www.cyberriskanalytics.com/
25
25
OneTrust, “OneTrust Acquires DataGuidance, Integrates Hundreds of Privacy Laws into OneTrust Privacy Management Technology,” 11 March 2019,
www.onetrust.com/company/news/press-releases/onetrust-acquires-dataguidance/

© 2019 ISACA. All Rights Reserved.

13 MANAGING THIRD-PARTY RISK

Software can also assist in the control-assessment space. Various assumptions underlie these approaches and
In addition to conducting surveys about third-party control should be called out. While automation can evaluate a
posture, various firms enable enterprises to view the large number of third parties expediently, the scope of
results of an automated control evaluation, typically done resulting assessments can be very limited, and may not
via scanning tools. These tools gather whatever reflect the use case(s) for which the enterprise employs
information they can about a third party from sites on the the third party. For example, if an enterprise allows its SSL
dark web, and perform the equivalent of an certificate to expire on an external system—but that
unauthenticated scan against the third party’s public- system is not used in the business process and data
facing systems. The tools look for botnet activity coming flows in the contracted work—it might have limited
from Internet Protocol (IP) addresses associated with the applicability to the enterprise evaluation of that third-party
third party. The tools can evaluate the status of secure risk posture. It may be indicative of an overall lax
sockets layer (SSL) certificates. Results are holistically approach to security, or it may be the result of a risk-
scored on an ordinal scale, and a security rating is based approach to certificate management. The
extrapolated from the score (in some cases, a security usefulness of this can vary, so it is important to include a
maturity rating may also be assigned). level of analyst discretion in the enterprise assessment
model.

Risk Analysis
After all third-party evaluations are complete, the risk enterprise about its risk posture. This is where the notion
analyst puts the results into a risk calculation function. of a fully qualified risk statement becomes important.
Processes based on standards such as ISO or NIST Fashioned after a fully qualified domain name, this is a
recommend that enterprises consider assets at risk, complete statement of harm that allows the enterprise, at
threats to those assets and all associated controls; a glance, to see who is failing, what is failing and the
enterprises should then synthesize the data points to impact. Two examples of such risk statements follow:
produce a holistic risk rating for that third party. This is a • Privileged insiders at a third party use legitimately granted
high-level version of a risk assessment process that is credentials to access customer records and compromise their
applicable to any IT asset inclusive of third parties. confidentiality.
Because these risk assessment standards tend to be • Cybercriminals leverage software vulnerabilities in externally
silent on the specifics of how to arrive at a risk rating, it is facing systems of a third party, resulting in a service outage of a
important to discuss briefly some ways to improve the critical business process.
rigor and reliability of the enterprise third-party risk rating
These statements provide critical information at a glance.
process (or risk analysis process).
First, it is known who is doing or initiating the actions. This

Processes based on standards such as ISO or NIST is not meant to be a clear statement of attribution; indeed,
recommend that enterprises consider assets at risk, attribution is very hard and not typically necessary for risk
threats to those assets and all associated controls;
analysis. Instead, it helps an enterprise to be very clear
enterprises should then synthesize the data points to
produce a holistic risk rating for that third party. about which threat actor communities are in play. This
gives the enterprise a key piece of data around building
The first critical component of conducting a risk analysis the first important risk analysis variable: frequency of loss.
is to become clear about what is at risk, and what the
results of the third-party assessment actually tell the

© 2019 ISACA. All Rights Reserved.

14 MANAGING THIRD-PARTY RISK

With this, the enterprise can estimate how often these failures, endpoint security hygiene or business continuity
threat communities are making a move on a critical asset. failures. If more precision is required, the enterprise can
also analyze them at more granular levels (this requires a
The next data point critical to understanding the overall
larger number of risk statements to cover all the relevant
risk posture is where the failure occurred. This section in
scenarios).
particular is informed by the results of the third-party
assessment thus far. The results provide insight into third- The last part of the risk statement allows the enterprise to
party control deficiencies. Perhaps during the onsite understand fully what the impact to the organization will
walkthrough the enterprise assessors noticed that the be. For example, in the first statement, there is a loss of
data center had a false ceiling, so they can see that the confidentiality (data breach), and, in the second, there is a
physical security controls protecting enterprise data at the loss of availability. This is really the most important part of
third party’s location are diminished. Often these control the risk equation, because without the potential for loss,
deficiencies need to be aggregated into categories of there truly is no risk.
control deficiencies/failures in order to analyze them at
Whatever the findings from the third-party assessment,
the appropriate level. For example, in the second example
they are typically expressed in the form of a control
risk statement, software vulnerabilities may encapsulate
deficiency (as part of an overall risk statement). These
unpatched systems, zero-day vulnerabilities,
control deficiencies and failures need to be mapped to a
misconfigurations or installation of remote services tools.
corresponding risk scenario to ensure that the risk
Depending on the level of abstraction that the enterprise
associated with these control deficiencies is appropriately
requires, it can aggregate these control deficiencies
rated.
together into a high-level category, such as access control

Threat Modeling
Threat modeling is an important part of the risk analysis • What is the danger of discovery posed to that threat agent

process. It is important to identify the actors in a loss while it is attempting to compromise those assets?

scenario (not necessarily with the same level of rigor as • What perceived value may enterprise data at the third party hold

attribution—though positive attribution can accelerate the for an adversary?

process). It is important to understand which third-party • What skills does an adversary need to succeed in

controls are successful at defending against the compromising third-party systems and accessing enterprise

attacks/errors associated with various threat data?

communities. It is important to understand which third- • How much time does an adversary need to compromise

party controls address attacks associated with various systems and access data? What resources and materials does

threat communities. In some cases, controls may address the adversary need?

threats from more than one source; for example, the same • What level of effort is required overall from the threat agent to

control that addresses rogue nation states may also compromise the third party?

defend against cybercriminals. Overlapping controls in The answers to these questions can be collected in a
this sense should be noted in the threat model. threat profile and maintained for each threat community
identified by the enterprise . The profile can be correlated
Other questions to answer when threat modeling include:
to risk statements, third parties and business processes
• How often will threat agents encounter enterprise assets at the
to gain a clearer picture of end-to-end enterprise risk.
third-party location?

© 2019 ISACA. All Rights Reserved.

 15 MANAGING THIRD-PARTY RISK

Determining Risk Ratings

A basic approach to risk rating involves the risk matrix, The ultimate goal of a risk analysis is to deliver a risk
which, in its simplest form, may be expressed in a three- rating that drives action in the enterprise. High-risk items
by-three or five-by-five grid. These matrices use two should gain the attention of upper management so that
factors—typically probability and impact—to represent the they are fully informed of the decisions they need to make.
risk that the third party poses to an enterprise. Colors One common mistake is to conduct a risk analysis
usually signify increasing severity, generally with some without first understanding the concerns of management.
reference to an ordinal scale measure (e.g., a 1-to-3 or 1- This lack of understanding often results in a security
to-5 scale with no unit of measure, such as time or executive reporting on third-party risk using colors that
dollars). Whether it uses verbal labels (low, medium and represent the assessor’s view of the risk priority, but the
high), colors or ordinal numbers (such as 1, 2 and 3), the other executives are talking about risk in terms of
matrix is considered a qualitative representation. Figure 1 potential losses to the enterprise.
illustrates this with a heat map showing severity as
An advanced approach to third-party risk rating will reflect
function of likelihood and financial impact. These
the economic impact of any third-party data compromise
matrices, although widely used, are typically unable to
or interruption of service on enterprise business
overcome biases, and do not incorporate validity tests
objectives. Fundamentally, the ideal methodology
characteristic of more advanced risk analysis
connects cybersecurity consequences to business goals.
methodologies.26 26

Understanding the economic impact can also allow

FIGURE 1: Third-Party Risk Management Heat Map: Severity as
enterprises to set aside money to offset potential risk or
a Function of Likelihood and Financial Impact
purchase insurance to help offset financial losses
associated with cyberincidents.
> $10M

Associating risk rating of third parties to potential loss is a

$1M – $10M

highly mature way of understanding the management

view of risk and the position of third parties on the risk
spectrum. This approach provides the opportunity to
$100K – $1M
Financial Impact

assign high, medium and low risk ratings, indexed to

potential economic impact, and allows risk management
to drive priority through the enterprise and ensure proper
$10k – $100K

remediation of findings.
< $10k

< 1 in 10 years 1 in 10 years 1 per year 2 – 10 per year > 10 per year

Likelihood of Occurrence

Source: Freund, J.; J. Jones; Measuring and Managing Information Risk: A FAIR
Approach, Butterworth-Heinemann, USA, 2014,
https://www.elsevier.com/books/measuring-and-managing-information-
risk/freund/978-0-12-420231-3

26
26
Hubbard, D.; D. Evans; “Problems with scoring methods and ordinal scales in risk assessment,” IBM, Journal of Research and Development, vol. 54, no. 3,
paper 2, May/June 2010, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.163.4544&rep=rep1&type=pdf

© 2019 ISACA. All Rights Reserved.

16 MANAGING THIRD-PARTY RISK

Assessment Closeout and Ongoing

Monitoring
After assessment activity concludes, and an overall risk with achieving are understood. Severe control deficiencies
rating is assigned to third parties, certain follow-on can trigger a new contract with a different third party, and
activities are required to ensure closure of third-party risk enterprise business objectives may incur significant
governance processes. These activities vary from impact as a result.
enterprise to enterprise, but a rough outline of general
Many enterprises have some form of third-party
practices follows.
governance that presents cyberrisk assessment results
Control deficiencies discovered as a part of the alongside other control partner outputs, including country
assessment are usually documented in a central risk and financial risk. This presentation enables an
repository and presented to business owners and others enterprise to gain a holistic view of risk associated with a
for treatment decisions. Risk owners have the option to given third party across multiple domains. A
accept or mitigate the risk associated with control predetermined template may be used to report these
deficiencies. Risk owners consider the role that results, or each group may have its own report format.
compensating controls (if any) can play in the risk
Many enterprises centralize tracking and reporting on risk,
response. The organizational role that responds to the
including third-party risk, so that all results and work
control gap often depends on risk ratings; for example,
papers are captured in a central location for posterity and
higher risk ratings may merit the attention of upper
auditing reference. Results of prior-year assessments are
management.
typically stored in such systems, and can be reviewed

Control deficiencies discovered as a part of the when conducting new assessments.

assessment are usually documented in a central
repository and presented to business owners and others Most enterprises establish a regular cadence for third-
for treatment decisions. party assessment. Often, such cycles are risk based; high-
risk third parties may require annual review, while other
Transferring risk is an option, and can be considered a
third parties with less risk are reviewed every few years.
subcategory of acceptance, because remediation of
The assessment schedule must be documented in the
control deficiency is often quite difficult with third parties.
contract with the third party. Statement of frequency must
For example, many third parties do not make changes
accompany the right-to-audit clause. Some automated
unless the contract specifically outlines the control
third-party management technologies issue notifications
requirements. As a result, remediation of third-party
when scans or assessments require attention between
control deficiencies can take several assessment cycles
assessment cycles. For example, if a breach disclosure is
to complete, and often involves more than a single
detected, the enterprise receives notification, and takes
contract cycle. Because the risk associated with the
steps to ensure that enterprise data at the third party are
control gap may persist for some time, acquiring
properly protected; finally, the enterprise determines
insurance may be prudent. This is a critical time for
whether to initiate the incident response process.
discussion with the business owner to ensure that the
control deficiency and how its associated risk impacts the
business objectives that the business owner is charged

© 2019 ISACA. All Rights Reserved.

17 MANAGING THIRD-PARTY RISK

Conclusion
Third-party risk management is a critical component of an Conducting regular reviews of third-party controls and
overall vendor management program. As more addressing control gaps and deficiencies ensure that data
enterprises rely on third parties to help deliver their and service protection is commensurate with the risk that
products and services, third-party risk management will third-party activities pose to the enterprise. Many
only become more critical over time. Building good technologies and software platforms can help to expedite
enterprise processes, governance and hygiene around and automate these review processes. Risk ratings are
third-party management is an important initial step to assigned to third parties, criticality to control deficiencies,
ensure that third parties are properly vetted before and gaps are managed through a closeout process that
sending data to them. This effort helps to ensure that allows an enterprise to properly manage the third party,
contracts—including data privacy and security influence future terms and conditions of the contract, and
agreements—are executed, and that enterprise data can protect enterprise interests. Managing third-party risk is a
be presumed reasonably safe under the purview of third critical aspect of cybersecurity programs overall, as the
parties. digital walls separating enterprises from third parties are
lowered and the world becomes more interconnected.

© 2019 ISACA. All Rights Reserved.

18 MANAGING THIRD-PARTY RISK

Acknowledgments
ISACA would like to acknowledge:

Lead Developer Board of Directors

Jack Freund, Ph.D. Brennan Baybeck, Chair Chris K. Dimitriadis, Ph.D.
CISA, CRISC, CISM, CIPP/US, CIPT, CISSP, CISA, CRISC, CISM, CISSP ISACA Board Chair, 2015-2017
FIP Oracle Corporation, USA CISA, CRISC, CISM
Director, Risk Science, RiskLens, USA INTRALOT, Greece
Rolf von Roessing, Vice-Chair
CISA, CISM, CGEIT, CISSP, FBCI Greg Grocholski
Expert Reviewers
FORFA Consulting AG, Switzerland ISACA Board Chair, 2012-2013
Clemence Chikombingo CISA
CISA Tracey Dedrick
Saudi Basic Industries Corporation, USA
IT Auditor, Midlands State University, Former Chief Risk Officer with Hudson
Zimbabwe City Bancorp, USA David Samuelson
Chief Executive Officer, ISACA, USA
Dapo Ogunkola Pam Nigro

CISA, CRISC, ACA, CFE, CFSA CISA, CRISC, CGEIT, CRMA

Internal Audit Manager, Ernst Young, Health Care Service Corporation, USA
United Kingdom
R.V. Raghu
James C. Samans CISA, CRISC
CISA, CRISC, CISM, CBCP, CPP, CIPT, Versatilist Consulting India Pvt. Ltd., India
CISSP-ISSEP, PMP
Gabriela Reynaga
Director of Information Systems Security,
CISA, CRISC, COBIT 5 Foundation, GRCP
American Institutes for Research, USA
Holistics GRC, Mexico
Scott Solomon
Gregory Touhill
CIPM, CIPP/E
CISM, CISSP
Product Marketing Manager, OneTrust,
Cyxtera Federal Group, USA
USA
Asaf Weisberg
CISA, CRISC, CISM, CGEIT
introSight Ltd., Israel

Tichaona Zororo
CISA, CRISC, CISM, CGEIT, COBIT 5
Assessor, CIA, CRMA
EGIT | Enterprise Governance of IT (Pty)
Ltd, South Africa

Rob Clyde
ISACA Board Chair, 2018-2019
CISM
Clyde Consulting LLC, USA

© 2019 ISACA. All Rights Reserved.

19 MANAGING THIRD-PARTY RISK

About ISACA
Now in its 50th-anniversary year, ISACA® (isaca.org) is a global association
1700 E. Golf Road, Suite 400
helping individuals and enterprises achieve the positive potential of
Schaumburg, IL 60173, USA
technology. Today’s world is powered by information and technology, and
ISACA equips professionals with the knowledge, credentials, education and
Phone: +1.847.660.5505
community to advance their careers and transform their organizations. ISACA
leverages the expertise of its 460,000 engaged professionals—including its Fax: +1.847.253.1755
140,000 members—in information and cybersecurity, governance, assurance,
Support: support.isaca.org
risk and innovation, as well as its enterprise performance subsidiary, CMMI®
Institute, to help advance innovation through technology. ISACA has a Website: www.isaca.org
presence in more than 188 countries, including more than 220 chapters
worldwide and offices in both the United States and China.

About OneTrust Provide Feedback:

OneTrust® is the #1 most widely used privacy, security and third-party risk www.isaca.org/managing-third-party-
technology platform, trusted by more than 3,000 companies to comply with risk
the CCPA, GDPR, ISO 27001 and hundreds of the world’s privacy and
security laws. OneTrust’s three primary offerings include OneTrust Privacy Participate in the ISACA Online

Management Software, OneTrust PreferenceChoice™ consent and preference Forums:

https://engage.isaca.org/onlineforums
management software, and OneTrust Vendorpedia™ third-party risk
management software and vendor risk exchange. To learn more, visit Twitter:
OneTrust.com or connect on LinkedIn, Twitter and Facebook. www.twitter.com/ISACANews

LinkedIn:
DISCLAIMER www.linkedin.com/company/isaca

ISACA has designed and created Managing Third-party Risk: Cyberrisk

Facebook:
Practices for Better Enterprise Risk Management (the “Work”) primarily as an www.facebook.com/ISACAHQ
educational resource for professionals. ISACA makes no claim that use of any
Instagram:
of the Work will assure a successful outcome. The Work should not be
www.instagram.com/isacanews/
considered inclusive of all proper information, procedures and tests or
exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, professionals should apply their own
professional judgment to the specific circumstances presented by the
particular systems or information technology environment.

RESERVATION OF RIGHTS

© 2019 ISACA. All rights reserved.

Managing Third-party Risk: Cyberrisk Practices for Better Enterprise Risk Management

© 2019 ISACA. All Rights Reserved.

DATA SHEET

OneTrust Third-Party Risk Management

HOW THE WORLD MANAGES THIRD-PARTY VENDOR SECURITY
AND PRIVACY RISKS

300+ 100% 360°

Global Laws Embedded Coverage of the Vendor Risk Third-Party
in the Platform Management Lifecycle Vendor Visibility

A Centralized Risk Management Platform for Global Security and Privacy Professionals
Third-party vendor risk management isn’t a new concept, yet
the risks posed to enterprises have evolved. Increasing reliance
on third parties, new privacy regulations, shifting cybersecurity
threats, and frequent data breaches have upended the
third-party risk management landscape. OneTrust Vendor Risk
Management is a purpose-built security and privacy solution
that directly addresses these challenges and many others.

ASSESS EXCHANGE MONITOR

Risk Assessment Automation Vendorpedia™ Third-Party Risk Exchange Third-Party Threat Monitoring

Assess and mitigate Exchange pre-completed third-party Monitor security and privacy
third-party vendor risks in less vendor risk assessments and access threats over time to maintain a watchful
time and with better results research on 6,000+ global vendors eye on third-party vendors

PRIVACY, SECURITY & THIRD-PARTY RISK