Contact HotSkills
HotSkills
SEARCH
How to reach us: 800.507.4517 info@hotskills-inc.com

 

HotSkills launches Orange Parachute!
Orange Parachute specializes in ISO 27001 certification and information security program evaluation, design and implementation.
click here for more details

3rd Party Security Governance

How do you ensure your 3rd parties are securing confidential information?

Overview
Today's business environment is increasingly dependent on third party relationships as organizations concentrate on their core competencies and outsource many non-core services. In turn, the heightened security expected by customers and a growing global emphasis on legal and regulatory compliance requires evidence of adequate governance measures. Thus, the twin issues of due diligence and due care over third parties have become critical to business success.

Due diligence is defined by Merriam-Webster's Dictionary of Law as "the care that a prudent person might be expected to exercise in the examination and evaluation of risks affecting a business transaction." Due diligence may be demonstrated in part by performing a risk evaluation on a third party prior to contract formation. Due care is defined by Merriam-Webster as "the care that an ordinarily reasonable and prudent person would use under the same or similar circumstances." In other words, due care incorporates the ongoing process of assuring the third party performs in a manner that does not increase anticipated risks.

Traditional supply chain risk management focuses on the logistics of supply: the viability of the supplier, risks of loss inherent in transportation, and steps needed to clear goods through customs. In contrast, managing the information security risks in a third party services relationship focuses on the sharing of proprietary or confidential information. When internal functions such as human resources, information technology, or other services are handed off to third parties, the risks to information confidentiality, integrity and availability can be very significant. Such outsourcing is justified by savings based on cost, competencies, or effort of performance in-house, but the burdens of due diligence and due care while engaged in such an arrangement increase. Many regulations make little or no distinction in responsibilities between the subject company and its outsourcing providers. Therefore, due diligence in third party selection and due care through third party governance have become vital to the success of outsourcing arrangements.

Context
Third party security governance is a subset of an enterprise risk management program. The aim of establishing such governance is the mitigation of risk to a level acceptable to the organization. The chart below gives an enterprise-level view of the context for third-party security governance.

As the chart indicates, typical third party agreements contain elements of risk based on:

  • Information technology issues, such as extranets and remote access
  • Security issues, such as the exchange and processing of confidential information
  • Third party issues, such as supplier viability and contractual performance

Service Outline
The service offering of Third Party Security Governance is divided into two main components: due diligence and due care. HotSkills offers its consulting services to assist our clients with the design and implementation of due diligence, and development of the processes and tools to perform due care.

Due Diligence Components

Phase 1: Current Status Assessment
The initial activity is establishing a risk-based view of the current third party governance efforts. Once the current status is documented, the findings are used to develop a plan for process improvement.

  • Review existing third party governance processes
  • Review at least a sampling of existing third party contracts to evaluate stated requirements
  • Perform a gap analysis between existing and recommended governance processes
  • Create a roadmap to achieve continuous process improvement

Phase 2: Planning for Third Party Security Governance
Once the gaps between current and recommended governance process are known, the roadmap points to the needed design, modification or optimization of the process to assure defensible, risk-based due diligence. Our third party security governance model is based on the ISO 27002 standard, Code of practice for information security management. Building on this international standard results in the ability to coordinate third party security with existing Information Security Management Systems (ISMS) and with other governance models such as CoBIT and ITIL. The HotSkills model, because it is process-based and risk-driven, allows management greater insight into third party security governance processes, provides metrics for both management review and process improvement, and ties third party governance into the enterprise risk management methodology.

  • Given the organization's risk posture, security posture, and business requirements, create a plan to optimize third party security governance activities
  • Map out existing processes for third party due diligence and due care
  • Map out existing third party security governance roles and responsibilities
  • Relate third party security governance to overall third party due diligence activities
  • Relate third party security governance to enterprise risk management goals
  • Empower third party security governance program
  • Create or revise third party security governance processes as needed
  • Create or revise third party security assessment tools as needed
  • Create or revise applicable security policies, standards and procedures as needed

Phase 3: Implementation
Once the third party security governance activities are planned, they must be implemented to create the assurance needed for proper due diligence.

  • Top management must empower and support the program
  • Communicate roles and responsibilities within third party security governance to appropriate departments and individuals
  • Provide training and instruction to related roles and business units
  • Transition third party relationships into new program
  • Put new third party security assessment tools into everyday use
  • Apply new assessment tools to existing third party relationships where justified by risk or business requirements
  • Incorporate security and risk assessment into the third party selection process
    • Provide third party security assessments to business decision makers
    • Transition third party selection into risk-based decision process

Due Care Components

Phase 4: Ongoing Third Party Security Governance
The due care component of third party governance implies that the subject third party will be subject to review and evaluation of its performance over time. This due care must be exercised for all risk aspects of the relationship, whether business, security or information technology, on a regular basis. The HotSkills third party security governance model provides our clients the tools needed to demonstrate that such due care is in place.

  • Establish a scheduled review cycle for all third party security relationships
    • Inception activities
    • Annual review activities
    • Long term re-evaluation/re-assessment activities
  • Develop tools and forms for annual review
  • Develop tools and forms for long-term re-assessment
  • Incorporate guidance from third party security governance into business processes for contract renewal or revision
  • Manage third party security governance inputs and outputs
  • Use security governance metrics to improve both third party relationships and the third party governance program
  • Demonstrate legal and regulatory compliance within third party relationships

Summary
In a business environment where outsourcing is a key success strategy, allowing organizations to focus on their core competencies, there has never been greater emphasis on third party relationships. However, the use of third parties to provide business solutions brings the added burdens of due diligence in third party selection and due care in third party oversight. The increasing pressure from legal and regulatory requirements will invariably add to the efforts of due diligence and due care.

The HotSkills third party security governance model is specifically designed to ease these burdens. The model provides continuous assurance of both due diligence and due care. Based on an internationally recognized and accepted standard, using assessments driven by risk management principles and processes designed to provide insight and metrics, HotSkills can assist organizations seeking to move from reactive to proactive, optimal third party governance. Integrating third party security governance into an overall third party governance program, and third party governance into enterprise risk management, our model provides the tools necessary to achieve defensible assurance for both clients and regulators.

info@hotskills-inc.com
(800) 507-4517
 © Hotskills 2005-2008 All Rights Reserved. Privacy Policy 4801 Nicollet Ave S, Suite A
Minneapolis, MN 55419
Site Map Services Industries About Us Contact