New guidance for continuous monitoring of third party IT security risks
- Published: Wednesday, 10 October 2018 08:38
The Shared Assessments Program has released its latest risk management guidance, ‘Innovations in Third Party Continuous Monitoring’, the latest addition to the organization’s Building Best Practices series. The series is provided as a free industry resource to security and IT professionals worldwide to drive risk management among digital ecosystem partners.
Third party IT security risks can cause millions of dollars in damages; recent analyst findings confirm that third party involvement was the top contributing factor that led to an increase in the cost of a data breach in 2017. Effective application of the ‘Observe-Orient-Decide-Act’ (OODA Loop) decision cycle principals described in the guidance enable organizations to improve situational awareness, increase risk management program ROI, and reduce compliance costs.
The OODA Loop helps organizational leaders:
- Assess their organization’s risk appetite and strategically plan accordingly;
- Prioritize availability of highly experienced analysts who have the ability to recognize a threat and act accordingly; and
- Ensure the availability of a set of predefined actions – also known as a ‘playbook’ – for specific types of threats to help guide less experienced analysts, and provide more experienced analysts with a policy framework for documenting actions.
It helps risk management practitioners immediately identify:
- A third party’s ability to support the outsourcer’s requirements for regulatory compliance; and
- Changes in the third party’s processes, personnel and/or technology that could potentially inhibit their execution of key risk management processes.
“While using third parties can benefit corporate strategy, third parties can also increase both the firm’s operational risk and the costs associated with effectively managing that risk,” said Caree Wagner, managing director, Corporate Operational Risk Management – Third Party Operational Risk at BNY Mellon; Continuous Monitoring Working Group Co-Chair and contributor to the third party risk management paper. ”The traditional, static risk assessment process is expensive to execute and may not identify emerging risks until it’s too late. This paper aims to outline how complementing traditional risk assessment processes with a continuous monitoring program can provide more real-time opportunities to identify and mitigate third party risk.”
‘Innovations in Third Party Continuous Monitoring’ may be downloaded here (registration required).