The Overlooked Security Risk: 3rd Party Risk Management

all right welcome everybody we are here to talk about third party risk management you'll see that I noted this as the overlooked security risk really that just means the business has a tendency to overlook third party risk and what it can do business so we'll get into that a little bit later so a little about me I'm from Pittsburgh so I traveled here to be at Charleston ah got two kids and I married one of my kids wrestles so we're in wrestling season right now good stuff I don't know if any of you guys have ever had the pleasure it's I think it's mainly a northern thing um it gets really intense so a little more on the professional side

though I am a GRC consultant so I work with governance risk and apply it to help companies build security programs based on whatever frameworks that they need so I do a lot of policy writing program building being an adviser to them I have my masters in cyber security and information assurance so when I got my masters that did a lot of Red Team work a little bit of blue team and just the sprinkling of GRC so I have a lot of different background I have my bachelor's in advanced networking I was a network engineer for quite some time so in order to be in security you kind of have to know all these different things

so you'll see I have 13 years in IT I'm so old I joined the Navy right when I turned 18 so I'm in my young thirties now I've been in security for the last eight years and I have a lot of industry experience over retail healthcare you know government and higher education so you'll see on this slide if you guys are familiar with Prezi you can set it up any way that you want this is my table of contents we're just gonna kind of slip on through it so third parties they're everywhere businesses nowadays you will not find a business that does not use a third party in some sort of fashion there are consultants like me there doing

marketing for your company there are be service providers SAS they're providing your infrastructure whatever it is third parties are doing it for majority of companies you won't find many that will have everything in-house and so when we talk about third party risk it's really important that the business understands how big of a risk this poses to them and that they're evaluating it properly

so now we're going to talk about what third party risk management is we've talked about how third parties are in the business we use online third parties can provide services to you so third party risk management you're gonna use a due diligence process to evaluate those vendors for their security controls the evaluation can be whatever your business beam's important but ultimately you're trying to protect the confidentiality integrity and availability of any data that they may have you also most importantly want to help the business make risk aware decisions security we are here to advise the business we're not here to tell them no or slow them down we need to tell them what has the

most impact to their business and help them make the right decision and if they are moving for with a vendor that they shouldn't move forward with then the business needs to step that risk that risk doesn't come to security it goes to the business and also third-party risk management what we're talking about right now is primarily for assessing vendors providing your organization with services later on in the presentation we will discuss if you are a consulting firm or someone providing services to a third party that's constantly being assessed so that opposite side of third party risk management any questions no is anybody just to kind of get an idea of who you guys are how many are you our students

okay and the rest of you you are in our organization are you part of the third-party risk management program right now no have you ever had any insight to it does your organization even have one set up no okay or are you on the flip side are you a company that's constantly being assessed No so what you're looking at right now is the vendor lifecycle so when you have a vendor come into your organization it's going to start going through what I call the vendor lifecycle every organization may call this something differently you may think of it in a different way but this is just what I've come to know my years of doing third

person so first you're gonna have governance like with any program you shouldn't be running it unless you have your governance in place so your policies your standards your procedures what's gonna drive that program most people don't like doing that part of vendor Asst manager they'd rather be in the technical details or doing that sort of work luckily there's people like me who really do love the governance risk and compliance and writing up the documentation and kind of driving that program next once you have your governance do it up that's what the business really should be starting to bring in those third parties so you have your planning phase so whether it's humans um business units whoever it may

be they're going out to vendors and they're trying to put in you know RFPs and understand what services they want to get from vendors and so once they identify these vendors that is when security steps in for the due diligence phase in the new diligence phase we're gonna actually go into that a little more in depth right now we will not cover the other portions just because it's not as relevant to us but I do when I talk about the life cycle so you understand it how it applies to your organization so after due diligence you'll move into contract negotiation when we talk about due diligence you'll be able to kind of understand why the

contract negotiation is really important ongoing monitoring so this is not a once and dine with your vendors unfortunately you have to keep assessing them on a regular basis because threats are always there they're always evolving controls constantly need to be updated depending on the framework and everything so ongoing monitoring and there are some regulations that dry you know doing it on a yearly cadence like PCI and then once you decide you want to stop working with the vendor you terminate that contract or you stop working with them for termination if you have been trading any data with the vendor it's really important that you get a certificate of destruction that's just gonna have your vendor verify that

they have in fact removed any data that they may have from your organization really important if they're working with really sensitive data any questions so due diligence like I said this is where Security's gonna live um this is where we're really gonna start getting to know the vendor understanding what services they may be provided to the organization called the due diligence process or whatever your organization wants to come so we need to understand the scope before we start doing anything with the vendor you won't be able to truly assess them and be able to read the assessment unless you know what services are providing so I have a couple items up here that I have found to be the most

important to understand for their services data classification this is very very very important so data within your organization should be classified if you have really sensitive data such as PII pH I financial data whatever it may be you need to classify that so you know when it leads your organization you kind of understand what controls you want them to do to protect it data classification seems to have like three levels it could be unconfident 'el or public regulated confidential or the military uses different classification levels it just depends on what your organization wants you know the organization the company can kind of drive all those decisions probably want to classify the data how they look at it so really

important that you understand what's leaving your organization also if they're gonna store transmit process data you need to know this and you need to understand how they're gonna do this so that way when they answer the questions you can look at it and really get the full picture and understanding of what they are doing and next remote access are they going to need access into our environment and if so how are they going to do that and what are we going to evaluate software-as-a-service functionality software-as-a-service really important that's where everything's going holidays put your stuff into the cloud and that's it but it's really important that we understand that we're also responsible for maintaining and managing all those

controls that go up there so you need to do access reviews and you need to you know make sure that people know not to do certain stuff on there so software is a service you need to make sure you're evaluating it and understanding holidays built their platform questions all right yes okay so really good question let's look at it from two different perspectives there security so we're always gonna care about the security controls and protecting the data and all that stuff that falls into our security realm the other side of the stakeholders is the business so the business is going to be anybody vested in that vendor relationship that can be you know the VP a business unit it could

be a manager it could be external stakeholders it could be the board it just depends on I hate saying it depends because it's such a big answer but it truly does depend on the nature of the vendor so if this vendor is just coming in they're not gonna receive any data they're not gonna do anything but come in and consult ok well that might be a lower-risk vendor that the whole organization meaning the board or whatever may not care to know about but what if there's a vendor that we're sending all of our phi2 so they can analyze that pH I and provide an output ok well that's a high risk vendor and the business all the way up to the board

may want to know you know the risk associated with that does that make sense ok yeah it depends it's such a big answer and it's a I hate saying that answer cuz you know it doesn't really give you a whole lot of clarity but in this situation yeah best judgement

okay so now we move on to the risk assessment you are trying to evaluate their overall security posture and there's some level of trust that has to go between you and the vendor you have to try to trust them that they're providing you all the right answers and not trying to live in that gray area where they kind of do it but they kind of don't so it's really hard but it it gets better if you're using uh like third-party certifications or access stations to validate their responses so a lot of times you can use a saw to type - that is more into the security controls and a third-party vendor would have came in

and evaluated them the same goes for the ISO 27001 I am NOT a fan of using that one though because if you're not being very diligent at what you're looking at you can certify just one thing and you know that may not be applicable to the services that the vendors providing so it's all about really paying attention to those key details along with you know evaluating their posture you have to provide them a standard questionnaire to fill in a lot of places kind of just develop it based on what they really need to know if you're struggling to figure out the type of assessment to build I would suggest this cybersecurity framework and just starting to go down

the line the cybersecurity framework has a lot of controls in there that could be applicable to your organization and you can wear them in a way that you would get really good responses to with those questionnaires though I would advise you guys not to be too wordy with the questions I like to be mindful that not everybody answering these questionnaires is gonna be a security expert sometimes it's going to be a just the IT Help Desk person or it could just be an assistant or whoever it may be and that unfortunately is just the name of the game that has a lot to say with their security - if they have that sort of person right but I mean it is what it is

people are trying to develop their businesses and can't always have you know the top-notch security go ahead

yeah yeah well I would like I mentioned before the NIST cybersecurity framework is a really good place to start but the volume of questions gets really high and that in turn makes people not want to answer them so you probably see like a really long time responses if it starts getting longer if they do it at all um and there's kind of like a bunch of routes that you could take with that if they don't do it at all well then why are we giving them business why are we letting them sign the contract and that's kind of a route that you would take with your procurement team or legal or whoever's handling the contract

because if they're not even willing to answer the assessment then why are we exchanging services with them why are we letting them continue down that path now as far as the standardized questionnaire that's a really tough one because a lot of organizations have a lot of different questionnaires every organization will have you know their own versioning of it and so now you have a issue with the vendors receiving 50 million different types of questionnaires instead of just the one that they can easily answer back have you ever heard of a sig yeah yes

yeah tedious yes how many questions to use right now

yep it gets painful for sure especially when they're marking that they don't do something all right well what do you do now because now you have a bunch of potential risk and so I worked at a major retailer and dicks I actually stood up a program there where we built in full automation of risk assessments using a sass so bender fills out the questionnaire I already automatically score it so you know based on their answers if they were above our risk tolerance then they would just automatically pass and I wouldn't even see them unless to verify like do an audit spot-check or something but the ones that had negative responses and too many of them they would go through the

risk acceptance process so is that something that you've been doing with yours instead of going back and forth just automatically putting them into a risk acceptance process and making the business accept those risks and possibly right in those risks into the contract and making them fix it within a certain amount of time so a lot of a lot of factors go into it it's while I'm providing all of these like pointers sitting down and really consuming the information it's the most important part of it and working with the business but the business being what's the risk tolerance you know what data are they allowing to leave the building and that sort of side of it but on the security side working

with security to figure out what questions are the most important are you just asking a bunch of questions like if you look at that question and you see the response and you're like I don't really care about that question should you even be asking it or should you only be asking those questions that are like deal-breakers to your organization you know what I mean a little bit yeah I could talk with you more afterwards if you want a brainstorm on okay I I live in Pittsburgh so I have a flight to catch all right um so we talked about I talked about risk scoring a little bit just now but always make sure you have constant analysis by using

risk scoring the risk scoring if you're just using high medium low or whatever that's very subjective so I would highly suggest you getting with your peers in security and working together to risk for the questions appropriately so that way when they respond back you have the right risk score like I said it can be subjective so you don't want to think that it's a very high when you know the rest of the team may think it's a medium based on compensating controls or whatever does that make sense yeah okay so since we kind of talked about you know building risk assessments we're gonna talk about it a little more in depth right now so like I mentioned the

NIST cybersecurity framework my personal favorite because it just throws everything right there for you it has all the controls and in fact when we get to the demo later you will see in the demo I do use the controls from this to build out some questions for you guys to see so we also have these functional areas so if you don't use NIST these functional areas of the company that you're assessing should be what you're looking at in a generic sense you may end up calling it something different but governance asset management threatened vulnerability management incident response and recovery workforce management meaning security awareness and how they're training their people risk management identity and access management

situational awareness or are they staying on top of the trends and alerting and what's going on in the Twitter world because everything on Twitter happens instantly and you know all the risk or vendor risk management are they actually assessing their own vendors because if not that's a problem because they could be sending your data to a third party a fourth party to you and now you lose extra sight of those risks or that data are they protecting their data at rest and transit these are all those areas or what you're trying to figure out what they're doing at their organization so you want to ask questions that are going to let you know if they're doing these

main things and all these can be mapped to NIST in some sort of fashion in fact they could probably be mapped to any framework that you pick you're just depending on the wording that they use questions all right so now we're going to talk about findings you have the scope you've done the risk assessment well now you have the findings what do you do with those you need to communicate on to the business the business like I mentioned before is the ultimate decision makers when it comes to the vendors they should always be making the decision whether or not to me moving forward with the vendor they should own that risk because I'm not doing anything

with the vendor I'm not transferring data with the vendor I'm just assessing them in providing you an opinion on what you should do or not most the time the vendors that I interact with haven't been so terrible that I'm tell the business not to but there has been risks I told the business like this wouldn't be a smart decision you're sending them certain data and they don't have the right controls but when you work with the business whoever the business may be it could be the vendor risk manager or I mean the vendor relationship manager the person bringing that vendor in could be managers whoever you need to clearly state the risk issue and recommend

remediation um at times security people or technical people can be um a little too technical when we're talking to others even now sometimes I may say stuff that um may not be in your realm of what you know and so it's really important that we come together collaboratively and work with the business and help them understand why it's a risk and why it's so important and make them feel like they're comfortable enough to come talk to you about these things we always want to make sure we're establishing a really good business relationship with our peers and the other parts in the business you know remediation so i mentioned whenever we first looked at the vendor lifecycle

that we would talk about contract negotiation all right so contract negotiation is gonna come in right here remediation so if there's findings you want to push it on to the vendor to fix it but being realistic the vendor may not have the funds the time or maybe this don't want to so if they aren't willing through mediate write it into the contract if you can't protect the business talk to legal do whatever you need to just communicate we have a finding it's not being fixed we need to document push for them to remediate whatever it may be I don't I haven't had too many vendors that made like a fuss when they couldn't fix something but if they don't have

something fundamental in place like vulnerability management or something okay well that's gonna be a huge lift for them to put into place it's not gonna be something that you know we get right over and say hey you need to put this in place before we do business with you and so that escalates to a decision that the business needs to decide if they're okay with that risk of them not having vulnerability management in place and at that point as the security adviser I would tell them that they absolutely shouldn't be transferring data with them if they don't even you know scan and patch like they should but like I said it's up to the business

all right risk acceptance so I was briefly touching on it just then so any findings that cannot be remediated should be documented now that's not just talking about the contract that's talking about security we need to keep our thumb on any wrist as they relate to third parties this can be done in a spreadsheet and can be done you know in a database however you want to do it but I would highly suggest using a consistent form don't just you know from here to there use different forms keep it consistent it'll make your life so much easier when you're looking at them later and you should include the risk the score and most importantly the reason

for acceptance the business not wanting to look for a new vendor because you know they're in a time crunch is that really a good reason for acceptance probably not not just security I would just say go look for another but to them it may be so they just need to document that um another reason could be maybe there are one vendor of three that only provide that particular service and it's very like tailored type of vendor okay well that's sounds like a reasonable reason for something me and ultimately everything should roll up to your enterprise risk management your risk management committee should be briefed on these risk high risk vendors um any vendors that aren't in your threshold

first offense and finally a scorecard so you need to have a consistent report deliverable so you did all this work well what's your output what are you providing to someone for their artifact to know so this could look however you want when I show you in the demo I made a very very like basic version of it but you can make it more elaborate if you want and you want to communicate the key points of the assessment what did you look at what did you find anything concerning any risk acceptance and indicate the overall vendor risk score so depending on the type of scoring that you put in place in your organization you may want to put it in

there when I worked at my previous employer we put in um 80 through f4 the risk scoring so we would have a number side on security but when the business saw they saw a through F and I mean that's kind of easy to understand we all go through the grade system so it's easier for them to understand out and like I already mentioned and any need for risk acceptance questions no now I just gave you guys so much information I love this little girl she reminds me of like the little mean our little emoji so how do you make this easier for yourself because I feel like I just dumped a whole bunch of data on

you and it's all very big it's up to interpretation because each business is different you guys have different needs for your vendors um so how do you make it easy for yourself well you can do that but you gotta use automation so that means that you have to have already kind of know what you want to do with your vendor risk management program it's not something actually I'm sure you probably could just kind of whip it together but I would HIGHLY advise you kind of have some sort of framework in place like you have some sort of idea of what you want to do and how you want to move because automation it's gonna be difficult

you're gonna test it and try to figure out what works for the business because you always have to work with the business and you don't want to make it difficult for them because then they're not going to want to do it so the way I broke this out was there's two aspects that you could use for automation most the time people you know when you say automation everybody automatically thinks house or something like that I did not go with that though I went with operating system tools I wanted to give you guys the capability to build an automation with what you have readily available I'm really mindful that not every organization gives security a lot of money or

third-party risk a lot of money so we have to be creative we have to use spreadsheets use Outlook we have to use whatever we have on our computer to manage this research tools whatever it may be so I have someone here you can or cannot use them without a word outlook powershell whatever you want to use the world is your oyster but it all starts with the idea so you'll see I have a very very poorly drawn diagram up here because I started thinking of automation I was lucky enough to have a SAS and I kind of was able to build it from scratch and so when I started thinking about how would I make automation with stuff that I have

available to me I had to draw it out how to think about it what I would be telling you guys and what I would propose so you need to know scoping you need to give the business a way to enter the form that you want tell you what kind of data will be transmitted whether the vendor will store transmit process all those details that I mentioned before you need to provide them with a way to give you that information but then you need to receive that information and security so how are you gonna get that and once you have that information how are you gonna get it to the vendor how are you gonna get the

assessment to them that needs to be thought about next how are you gonna get it back from the vendor how are you gonna take those assessments and review it and look at the findings and then finally what are you gonna do with the results so all those kind of key points that I talked to and obviously you can tailor it to your organization depending on what you want to see but this is kind of like kind of get it thinking like what are you gonna do like I said it all starts with an idea that was not the first revision it was multiple revisions of that okay so now I'm gonna pull up a demo that

hopefully works okay

are you guys familiar with teams at all Microsoft teams I love teams I my company right now uses it we have teams so locked-down super collaborative lots of functionality so organizations tend to go between teams and slack or whatever it may be but for the purposes of this demo I use teams now I'm going to pause it real quick I did create this in SharePoint I did create this in SharePoint - um just to show you that you could use SharePoint or you could use team whatever you want you'll see that I had built a forum in here so someone can easily access it when we go back to team so we're gonna look at that forum in a

little more depth

okay now our team teams I built this so anybody in my company could go to this forum and start answering questions so that first question who is responsible for the relationship with the vendor I just put myself and who is the vendor I love the office in fact I just went and watched the office musical because I love it that much so the business organization responsible is dunder-mifflin and the person completing the assessment will be myself please explain the scope of services the vendors providing now that would be more elaborate than stuff but you guys get the point now will the vendor store transmit and/or process data outside the company a mark yes and I start answering these

other questions I'm going a little quick but they're all the same questions that I pointed out to you and scoping will they have remote access will be providing software as a service and also what I'm noting you guys you see a little thing after it yeah I made those required questions so the business goes in there they can't answer these questions or they can't submit the form without answering the questions those questions are a must to be able to evaluate the vendor and then I'm gonna hit Smith simple enough gives them an easy way to let you know there's a vendor that you need to evaluate um it didn't seem overly complicated which was my goal I

didn't want to frustrate the business or make it difficult for them to actually do this work I want to make it like oh those questions were easy to answer I won't mind doing it the next time I have a vendor so now I will get that response to my email up in our handy little form it just says you know you have a new scooping form and you could click on it to view the results so you'll see right here I'm clicking on it it took me 42 seconds to answer that hopefully it's the person that really does Caesar it takes a little bit longer but it will show you all the statistics as they relate to that question now for

the purposes of this demo I will open it up in Excel because I'm gonna use macros in Excel to make my life a little bit easier with the automation okay so this is the data that's all pulled out now what I'm going to show you is that I've built these forms and essentially it's the same form that you just saw but I'm putting it all in one centralized location so you'll see that you know this vendor has all their data in there and I apologize this is my V sites Cleveland vendor because I did not update this video after I presented there sorry I would have made you guys a custom one but time got away from me I

have a questionnaire in here and I go through the different categories like I said before the control references come straight from this cybersecurity framework that's what's really nice about that framework is they tell you all the controls right there and what they point to in relation to your question so if anybody gives you issues about it well it could be you to say it's industry best practice those are the tools you'll see that responses are blank those will be populated and there is my risk scoring my your scoring um that's based on your organization so very highs or twenty pies or tens whatever you deem them to be and next you'll see this is my scorecard

it's completely Bank blank because we have not yet answered anything so what I'm gonna do now is I'm going to use a macro to import this data in my centralized repository you you so it's blank I'm going to just pull all the data and that is the vendor contact information we will need that so now what we're gonna do is email the vendor um the risk assessment and what I also did if you are sending out a lot of emails you probably have your canned can you answer this can you do this with in Outlook you can create a macro that pulls up the email the template with the attachment all you got to do is throw the email

that you want it to go to so if you're sending a lot of emails and you're just constantly copy and pasting you can use this as a method to kind of make your life easier so I have myself automatically cc'd but you could see see the security group whoever you want um you'll see it has an attachment already in there and all I gotta do is spin this will come to me because obviously I'm just answering all the questions and I'm doing the whole demo it will take a minute to pop up so now I'm going to open it up I am pretending to be the vendor

and they do have to make it figure for you because you cannot read little tiny ant font even don't mind my little blackouts there was some data there that you should not see you can name it whatever you want the vendor is gonna name it whatever they want now we're going to go through the questions does your company have a vulnerability management program does your company have a patch program in place does your company maintain an asset inventory all the questions that we normally hear that we're accustomed to seeing on a risk assessment nothing too special but I will note do you guys recall me saying provide them a little more information so they can answer this

I provide additional information so if they are unsure what you're getting at what it means it's just a little blurb that they can read in the past when I built this into a SAS what I did was have a little information bubble so if they cursed over it then they could see the information and it all wasn't in their face but I figured this was a good alternative

do they have flow diagrams also another really important one do they have an information security policy a lot of companies do not surprisingly all right so now I'm gonna go through the responses I'm gonna answer them just like the vendor would hopefully your vendor provides a response to the stuff that they marked no so that way you have a good idea of what they're doing if not you'll just have to communicate with them I am going to skip that because I think you guys understand okay so now I am going to email the vendor or I'm sorry email myself at the risk assessment questionnaire you can also use macros to pull out that assessment and put it into a folder that you want

to store it in so it's really important that we're keeping all these things in one central location so it's easier to deal with so now you can click on the attachment save it or whatever but you stuff to take all the steps to do it

what I'm going to do is just hit this save mackerel save attachment macro that I've created and now that attachment goes to the place that I've stored it and I can still open it from that location all right so now I have their responses what am I gonna do now well I'm gonna put it back into my little central repository that I want for that vendor so that way if I ever have any questions about the one particular vendor I can both their data you

all right now right here you'll see that I automatically did the scoring so the logic was built in that if they answer yes they got zero points but if they had no they got the points associated with that risk score so now they have a total of 11 depending on your organization that may be okay again it goes back to whatever you guys decide or works best for you now here it populated my scorecard it gave them a risk grade of medium and I also want to pull in those identified risk so like I mentioned before we want to make sure the business understands what all those risk are or at least they know of them so this is a

very like very very tuned down version of a scorecard but it gives you the general idea of what you can do so now what I'm also gonna do is just make it into a PDF and um when I clicked on that macro up there it saved it to a PDF to my desktop so now I have it ready to give to whoever now granted if you were doing these on a one-by-one basis creating that PDF probably would be super easy but I'm talking about you're doing like 30 assessments a day you're doing like you're looking at a whole lot of them what are these little tiny things that we can do just to minimize the impact to your day and kind of make

your date your life a little bit easier so but you'll see right here before I paused it you'll see now that that patch minute is already on my desktop I'll click it open and I'll be the same data that was just on the sport card in the spreadsheet and not very pretty and that is that oh well thank you thank you so much all right let me get this down again because there's still more to my presentation all right so the demo really like very very basic stuff what I'm trying to get at though is you could be really creative of what you have and make something that works for you um make your life a little bit easier you

know work on it an hour a day till you figure out what works all right does anybody have any questions about third party risk management because I'm gonna flip to the other side I'm going to talk about the people that you're assessing or if you're one of the people being assessed a lot so any questions on third party yeah yoy all right so we're burst third party risk management um my boss and I came up with this title because we couldn't quite figure out what to call it now everybody's always so concerned about assessing their third parties which you should be you should be very concerned about that but what about the flipside what about the people that are

constantly being assessed because now they're getting bogged down with a lot of questionnaires and that they really want to try to get them answered it's just I don't know how to manage them so this question always comes up and I never have a good answer I'm sorry I apologize now but the purpose of reverse third party management is to reduce the burden of inbound questionnaires so they don't want to just not answer them they still want to answer them but how do they reduce that burden so they can answer those questions and appropriate time frame because you guys don't want to be wait in two weeks and they don't want to be sitting on it forever

next you want to they want to minimize their response time so again they don't want to be sitting on it for weeks because they realize if they sit on it a long time that could be impacting the business moving forward with that relationship and so if you are in a position where you need to put in third party risk management reverse their party risk management you should build it in conjunction with your current governance documents so that way when you get the questions in you can start aligning to what you already do now there are some frameworks or I'm sorry industries are high tress let me just use that example I trust recently hospitals that have hydro certification

are pushing for their third parties to get that kind of makes it a little bit easier because now okay we're all in the same playing field we all know that we need to get high trust now granted high trust is a beast and there are so many things they have to deal with in it but now your third parties know what they need to do and there's no question around it they just have to get certified it's in my pain but it I mean it kind of makes life a little bit easier because right now your third parties are getting questionnaires from 50 different people and they're trying to answer them all and it's difficult unfortunately on

their side they haven't quite grasped the concept that they need a third party management office if you're offering services to somebody you need to make sure that you're ready to answer those questions when they come in on how you're going to protect the data so third party risk management people have those questions through that in here so hopefully if anybody in the audience this is that sort of position then maybe we could talk about it a little bit more if not then it's all good and now the wrap-up you can reach me at any of these I don't really use the Twitter a whole lot I do have a handle though because you should have that and

security apparently I don't like the interwebs apparently I have Layton and I have email which I always answer because I do use my email unfortunately for work oh yeah I hope you guys leave a little more aware about what third-party risk is and how you should be managing it and hopefully I'm able to answer any questions that you may have it's all subjective when you think about what your organization needs so um like I help you think about it a little bit then I did my job alright thank you guys [Applause]