The Overlooked Security Risk: 3rd Party Risk Management

hi everybody welcome to my presentation on the overlooked security risk uh third-party risk management so um this topic is particularly near and dear to my heart i've actually given this talk quite a few times on third party risk management being in the field that i work in which is governance risk and compliance one of the things i see that organizations always overlook um is third party risk and you know a couple years ago it was it was getting pretty bad we were seeing a lot of breaches due to uh third parties and their lack of response or lack of security controls within their environment recently within the past year or so we've seen an uptick

in companies taking third party risk management more seriously especially after seeing huge things like solar winds happen and it really brings home the seriousness of assessing their third parties especially if something has happened to them and they have compromised your data in any way or caused you not to be able to have availability within your environment or anything that may impact you um due to a third party not having the correct things in place so this presentation is going to take you through the whole life cycle what their party risk management should look like and how you can implement it at your organization and then it will take a step further so here's all the things that we need to

do for our program but how can we automate it so that way we are having less and less impact to the people forming these processes because any time we have a new control a new expectation of us within security we tend to know it's going to take a lot of steps it's going to be manual we're going to have to devote all those other work so where can we implement the controls and have a secure environment or assess our third parties and make sure they're doing the things that they need to but also minimize impact to our teams by building in automation where automation can be built in and that's not to say that you need a a

tool you need some fancy grc tool or something like that automation can absolutely be built with tools that you may have in your environment to date so um i have a demo a little bit later in this presentation where i'll take you through how i implemented automation within third-party risk management using tools that i have available to me um i've implemented third-party risk management leveraging a custom built platform that was designed for a particular organization and i have designed programs that are entirely manual or they're reading reaching the next step of maturity which is automation but maybe they don't have the funds to purchase the tools so we'll dig into that as a part of the

presentation today so um first off a little bit about me uh my name is rose i currently live in pittsburgh i have two kids one's eleven and one's nine um we love living in the pittsburgh area we've lived all over the place we've lived in san diego california we lived in hawaii mississippi which is where i grew up so a lot of different areas all over the united states so this is the reason i do the things that i do and my kids have started to get more and more interested in cyber security to the point that my son who's 11 has started reading my security plus books which is great that's what i want to

hear i want to hear them wanting to be interested in security so on the professional side though i work in governance risk and compliance i am a consultant so what i do is i work with organizations that maybe don't have any security posture or they're maturing their programs or they're doing stuff that they need compliance help with they need to understand where their gaps are and stuff like that so my role is to come in within the governance risk and compliance realm and come in and give them either advice on how they should do things or help them implement these items so i also have a master's in cyber security and information insurance and i

have a bachelor's in advanced networking i've been in security for quite some time now roughly eight to nine years and a lot of years in technology i joined the united states navy when i was 18 and immediately was in information technology and by the time of that i got out i was in network engineering and then once i got out i navigated really really to the security side and how to secure environments so a lot of my experience goes over retail higher education government the big one though for me is health care so um dealing a lot with protected health care information um or protected health information dealing with the hipaa security rule all right so um

what are third parties why are we talking about them why are they concerning so uh third parties they're everywhere or organization um there's probably not an organization in the entire world at this point that does not use third parties in some capacity whether they're providing your infrastructure whether you're using their online tools whether you're asking for their help like a consultant so third parties have been become really ingrained into how a business tends to operate especially when businesses are trying to offset the cost of should we do it internally or should we do it outsourced will it be cheaper outsourced and a lot of times the answer is yes it will be cheaper outsourced but there are some risks that you have

to assess there for the return on investment of outsourcing are you trading that for risk to your data or your environment so um organizations will tend to look at the bottom line when it comes to third parties and want to have the most bang for their buck what's not happening enough is what are the risks associated with working with these third parties and are we communicating them sufficiently so our role in security is making sure that we're being liaisons or facilitating these conversations so that they understand how important it is that we continue to assess these third parties and make sure that the business is doing things as secure as possible especially if any of that data is being

transferred out of your control so third party risk management essentially this program is going to use a due diligence process to assess the controls that a vendor has in place so essentially what you're looking at is the confidentiality integrity and availability of data or their environment you want to understand what are they doing within their environment and what are they not doing more importantly what are they not doing right so you want to know what are these things that they have in their environment that they maybe aren't doing maybe they aren't doing pen tests maybe they don't have vulnerability scanning going on uh maybe they don't do risk management what are all these things that we care

about as a work and some things your organization may not care about they may not care that a third party doesn't have governance in place but they're sure gonna care that they don't have vulnerability management in place so it's all about assessing those vendors and doing the due diligence which we'll touch on as part of this presentation and like i mentioned um just a couple of minutes ago we're really facilitating these conversations with the business so ultimately we want to make sure that the business is making risk aware decisions when it comes to working with those third parties or those vendors so um us doing our job is making sure that they understand why they should not work with vendors and if

they decide to work with the vendor having them do a risk acceptance form and making sure that someone owns that risk because it sure isn't security security shouldn't be owning these risks security should be putting those risks on the business when the business is supposed to own them uh so tprm you use it to assess your third parties that are providing your organization with services so whatever they may be doing if they're going to remote into your environment if they're going to have access to your data um if they're going to store your data within their environment you absolutely want to be assessing them so the vendor life cycle i have it highlighted on here on the screen

uh when i initially got into doing third party risk management which was several years years ago probably around 2018. uh one of the things that was highly frustrating to me was i needed to establish a program but i couldn't find really good information on it like i knew okay i need to do risk assessments on these vendors but um but i didn't know what the flow should look like what are the things that we should do within this life cycle and so i went on a trial by fire if you will where i figured out okay these are all the things that should be happening within my program and at the time i was just a normal

employee at a company it wasn't until a year later that i went to be a consultant and so i took this knowledge and started applying it at other companies so um your vendor life cycle is from the onset what happens to your vendor while it's going through these processes so um the very first part of the life cycle is your governance policy standard and procedure around your program around your vendors around the things that you do that governance is going to stabilize your program and make sure that the entire organization understands the expectations um a lot of times if you don't have the governance established it's going to be very difficult for you to get the employees to adhere to the

processes that you want to have established because they don't have anything to point to they don't know like oh okay the policy says that all critical vendors must get a risk assessment well you don't have that policy available to them so it's harder for them to adhere to these things that we're asking them to do um next is planning so um once you have your governance in place and you get it out to the workforce and they're trained on it at one point your your workforce will decide okay i need to bring a vendor in and this is where they start planning they're doing you know requests for proposals and they're detailing out the criteria

and expectations of the vendors and all these other things normally security isn't overly involved in this i will say though if you can integrate yourself into the planning phase when they're trying to figure out the request for purchases and all those other things developing a red flag checklist or facilitating conversations at this point will greatly reduce the uh chances of you getting a vendor that really is not good to work with before you do all the things that we're going to talk about here in a second within due diligence so during the planning phase you can develop something for your procurement team or whoever may assist with bringing vendors into the company and say what are these things that are

super concerning to us in security have they had a breach um will they have you know super critical data will they need remote access into the environment will they sign an information security agreement or a contract and you know have some red flag questions that whenever procurement starts working with these vendors the vendor's like oh we're not going to sign your agreement um yep we did have a breach or these other things okay well now you can before you start to do your due diligence you can say well hey guys let's take a second should we really be working with this vendor or is there another one that possibly has the services that you want

to use so you could use the planning phase for that if you'd like additionally we have due diligence so i'm not going to touch on due diligence too much we're going to cover that in detail through each of the parts next we have contract negotiation so once you do your due diligence due diligence should happen before contracting uh contract negotiating negotiations going to happen so signing master service agreement assigning non-disclosure agreements signing information security agreements or something agreement that covers security controls are going to be contained within the contract negotiation the reason you want to stage due diligence before that is your legal team or whoever is facilitating the contracting process needs to know what risk came out of the

due diligence that way we could try to address them during the contracting phase so uh maybe the vendor like i said they don't do vulnerability management and you find out during due diligence during contract negotiation you may be able to build it into the contracts that it is a requirement that they put in vulnerability management within uh nine months or whatever uh parameters you want to establish around it so entirely up to the organization if you want to pursue that route um definitely a route that you can take to uh get the things in place that you want or you expect for these vendors so next we have ongoing monitoring ongoing monitoring is the annual recycles of assessing the vendor

in their due diligence controls so uh based on the criticality of the vendor you may assess them on certain cadences you may decide that you're going to assess them you know once a year or if they are a low-rated vendor you may do it every two years whatever your parameters are which are established in your governance you'll continue to monitor them and once you do that it's like a little mini due diligence you do the risk assessments again you review their independent attestations whatever they have and you report those findings to the vendor owner and likely someone in security that's above you so they're aware that these findings came up this will also allow you to figure out

all right so that same vendor that didn't have vulnerability management in place did they implement and you could find out during your ongoing maintenance and then finally you have termination so at some point you're likely going to stop working with a vendor um termination should include did they have access to data do they have access or did they store data in their environment are they providing a certificate of destruction uh if they had access into our account are we de-provisioning their accounts and removing their access and all these other things that go within uh terminating or ending that relationship with them so you want to make sure they don't have any of your data unless there's legal or compliance

requirements stating that they have to keep them for a particular duration and you want to remove their access and make sure that they don't have access anywhere that they shouldn't so that's the vendor cycle and that's what it looks like um next we're going to dig into the due diligence part and talk about all the different steps that are included in there so it's you have one giant life cycle but then you have some mini steps that occur within due diligence

okay so uh the scope ideally whenever you go to assess these vendors you want to know the scope of what they're doing this is going to better facilitate the process whenever you're trying to assess the risk associated with this vendor you want to know data classification so data classification is entirely up to you as an organization you may um rate the vendors using public confidential and something else you may say regulated um just depends on what your what your organization has set up normally these classifications will identify what types of data they may have whether or not they'll have impact to business continuity so let's say the vendor may pose availability risk or things like that so

you'll want to look at data classification and make sure it pairs up with your uh your vendors and how you tier them you'll also want to know if this vendor is going to store transmit or process data anytime that data is leaving your control you want to do anything and everything possible to make sure that you know that that data is being handled with the utmost care with all the expectations happening you also want to know if uh they need remote access into your environment so are we provisioning them an account uh are we gonna make sure we do them as part of access reviews what are they going to have access to within our environment and things like

that so remote access is really important to make sure that we had we understand as we assess these vendors next we'll also look if they provide software as a service so um a lot of times with software as a service you won't be able to modify those controls or you know there's things that will be out of your control so assessing that and figuring out how we better protect that data will be one of the scoping items that we we take care of additionally with sas you'll want to make sure that there's certain things configured as part of the risk assessment that you're addressing so once you do the scoping the scoping is done um it can be done via a form

uh that someone within the organization normally the vendor owner will fill out uh you move into the risk assessment so again you're assessing the overall security posture of this company um you use standard questionnaires so some organizations will use questionnaires that you can purchase online i think there there's a few floating out there shared information gathering or something or other you can also build it yourself so if your organization has particular concerns that you care about you may opt to build it yourself there are expectations that you have within these um within these questionnaires to make sure you address all the controls and i think we will touch on that on the next slide on how you capture all these different

areas you can also use certain artifacts to be able to validate their responses so you can use independent certifications or reports so iso 27001 you could get a sock report you could get an attestation of compliance um any independent type report that's going to say yep they have these controls in place we tested this criteria we got these results and so now you have an independent party verifying that they in fact did this you can also do artifact reviews so um entirely up to you now if you are trying to streamline your process and make it as painless as possible you may not necessarily want to do a lot of artifact reviews this needs to be decided as an

organization where you decide if that is something that you want to pursue artifact reviews will typically be a lot of governance or other artifacts that the the vendor is willing to provide um i personally have seen a lot of governance um and i'm okay with getting the governance but you don't want to hit the slippery slope of having the vendors provide um their confidential or proprietary data because then you're in a position of making sure that you protect it so take that with a grain of salt and figure out what you would like to see from your third parties to be able to figure out whether or not they're secure and then uh you can also do on-site audits i

personally have never experienced doing an on-site audit of a third party to assess their controls i have come in contact with people that have done that um that's that can get really pricey um or you can build it into the contract that you have with the third party that they are to uh provide support of the on-site audits again if you're trying to streamline your processes and make it as painless as possible that might not be the most viable path um best path is likely using those independent certifications that they've already done all the hard work for you they've already tested everything you just have to validate it read it compare it against the questionnaire

that they likely provided and then summarize summarizes results uh last thing here is you want to do a consistent analysis by using risk scoring so what i mean here is that each question receives its own score based on the criticality of the vendor so let's say you have three tiers of vendor you have you know high moderate and low and those tiers are based on data classification and what the vendor has access to you may want to establish risk scoring on those different tiers or you may say all vendors are created equal and you just have the same risk scoring for each of them that really depends on the level of granularity that your organization

wants to do just make sure you have our scoring it's going to make your life a lot easier especially as you go to do your analysis and you're summarizing those findings you can say this is a moderate rating because of fill in the blank of whatever that is um this is a critical finding because they don't have vulnerability management in place and you can summarize those results better with those risk scoring so with the the risk assessment you want to target certain areas if you're going to do a risk assessment you want to make sure that you are assessing everything that you possibly can in one big swoop you don't want to have to go back to

these vendors and ask for more information because your questionnaires weren't built right from the onset so you want to have governance you want to have risk management you want to have asset management identity and access management threat and vulnerability management situational awareness and information sharing incident response and recovery vendor risk management workforce management and data protection those are 10 different areas you want to have some variation of those different areas within your questionnaire that is going to give you a holistic view into your third parties and how they're managing their program how they have their security program set up are they managing risk on um within a program are their assets being tracked through their life cycle

do they have owners assigned to it for access management are they adhering to the principle of least privilege and making sure that a lot of people don't have access to things that they shouldn't so all of these areas are going to be super critical that you're assessing with these vendors additionally you could also use the nist cyber security framework as a way to build out your questionnaire so if you are building your questionnaire completely from scratch you can use that framework in order to build out the type of questions that you want to ask of your third parties it has these five different areas in it and the five different areas cover the 10 the 10 functional areas

that i just mentioned on this slide so um doing a quick google search will uh likely return a lot of good results on developing these questionnaires and making sure that you have it built out correctly now once you get these questionnaires built out or just one questionnaire you'll want to make sure that you have review and approval of the questionnaire before you start pushing it out to the vendors so making sure your chief information security officer has reviewed and said yes this questionnaire is good to review or someone else within the business just to make sure that that questionnaire is in alignment with the things that you want to be assessing of these third parties

so uh you receive the questionnaire back and you do your analysis sometimes you won't have any findings um i won't say it's rare nowadays there's a lot of companies that are doing the right things um i will say though you will it's like half and half you're gonna have vendors that are gonna have findings they may have a little bit they may have a lot you're gonna have vendors that don't have any findings and those are going to be the really breezy ones where you're not going to have to sit and type up a bunch of things you're just going to be able to say they don't have any findings now for the vendors that have do do have

findings um you're going to need to do an analysis of them and this is where the risk scoring comes into play of the things that you found within their environment what are the ratings for them what's the risk associated with that finding and communicating that to the business when we get into the demo here in a couple minutes you'll be able to see that using excel you can build in auto scoring so you set up those risk scores and you say all right anything that is lower than a 10 or whatever number that you come up with is acceptable and so if you have buy-in from your organization that says we don't care what the findings are if

they score acceptable based on our risk scoring we're not going to do any further analysis of them they're going to be automatically approved to move through the process now that is entirely up to your organization and how they want to be able to assess these vendors i will say though if you are an organization setting up third-party risk management for the first time i would not advise i would not do this um with your programs that you're standing up for the first time um i like to think of it as a house you have to build the foundation which is sometimes a lot of manual processes and then you can start building the rest of the house

you want to make sure that you have everything set up from the onset and that you know that your program's operating effectively now i'm not saying that it can't be done i'm just saying that sometimes you may not you may not want to take that route until you know that your program is operating the way that you want it to um so once you have items found you can sometimes get the vendors to remediate depending on how much you want to push on that organization may ought not to push on vendors remediating and rather documenting it through a risk acceptance form um it really depends or comes down to what the finding is and um how risky that is to your

organization if it's a low risk you're not going to do anything about that if it's a critical risk again they don't have vulnerability management in place then your organization may be um more inclined to push on their remediation that's just gonna have to have some dialogue that happens within the business to figure out if that's an acceptable path to take so findings that cannot be remediated whether you decided to push forward or not should be documented um using a consistent form is going to be your best friend you want to have this form be the same every time because you're going to have a lot of the same risk a lot of organizations are going to have you know

fill in the blank they're not going to have vulnerability management in place or they're not going to have certain components of a program in place you'll want to make sure that you can keep these forms as consistent as possible it will make your life easier especially if your organization is processing a lot of vendors so your risk acceptance form should include all the scoping information that you can um it should include the risk level of the vendor the risk that you found who's the vendor owner a business justification of why you're working with this vendor even though it's risky all that information that you want to have on either a single piece of paper or two pieces of paper to document that

particular risk and then all of the risks should roll up to enterprise risk management so you can track them that way you can start to understand how your risk tolerance associated with vendors is being addressed through the entire org you can also see if you do it that way where certain business units have the most risk associated with them from working with vendors so let's say you have three business units we have legal we have human resources and we have technology in enterprise risk management they see all the risks through the entire organization and they say wow technology you have a lot of risk associated with vendors what are you doing about this your group

is posing the most risk to the organization by the third parties that you use so it allows you to get like that holistic high-level view of the groups that are using too many vendors and posing a lot of risks to the organization it may also push for additional conversation where you say why aren't we doing this in-house you know because when you have these one-off instances of using a vendor happening and you they're so spread apart that it's hard to see that top level view of the risk being posed to the organization um within enterprise source management you'll be able to see oh man technology they have a critical scoring and risk because they use all these vendors so

it's a good view a good way to communicate that to management as well all right so last um you can do a scorecard so scorecard it's a consistent report deliverable it is not a must of your program um in fact the only real must of your program is that you scope you do the risk assessment and you do a risk acceptance form scorecard not a requirement it's a nice perk though for your vendor owners to be able to understand how their vendors are doing within the environment so you want to have a consistent report deliverable you want to communicate the key components of the risk associated with that vendor even if they are an acceptable vendor

indicate their overall score so your organization may rate them give them a good rating i don't know whatever parameters you want to say like all right acceptable vendors that scored below 10 get a a plus and that way the vendor owner understands a plus oh that means they did really good and put it in a way that they can consume it and do something with the information um the scorecard will also indicate any need for risk acceptance form so um you can have it all summarized on this nice piece of paper that says hey vendor owner these are the risk you have a risk of form associated with this vendor this is their current scoring and it gives them

all that information on a pretty page for them so that's the last part of the due diligence life cycle there so like i said you have the vendor life cycle that circle right and we have the due diligence component of it the due diligence component as you see it has multiple steps within it and this process can get quite complicated the larger and bigger that your organization gets because you have all these different pieces working within this vendor life cycle i have seen a lot of vendors slip through the cracks because communication wasn't happening people weren't getting the right training governance wasn't in place to govern your program so all of these things are really going to play

a key role into developing this program so that it works in the way that you need it to the way that you need to understand risk associated with these third parties or vendors so uh but now what do i do to make this easier for myself so all i've been saying this entire presentation is oh my gosh there's so many things that i have to do so many things i need to do to make sure my organization stays secure um but how do i make it easier for myself because rose just killed me with all these different things i need to do all these steps i need to take into consideration and um it does not sound easy right

it sounds kind of painful when you look at all these different steps and all these different things that we need to do um and i mean being quite frank with you it is painful it's hard to stand up these programs that are driven highly driven off compliance requirements and other expectations um it can get quite complicated and that's why you have to break it down to these individual pieces to understand how they play a part within your organization so there's a way to make it easier for yourself and it is automation now when i say automation you either run for the hills and you're like yes let me hear all the things about automation now the thing about automation is a lot

of times when you say that word people will tend to think oh man i'm going to need a tool i'm going to need to spend all these man hours trying to figure out how to operate this tool and continue to run it within our environment we don't have any budget for it and all these other things well i'm here to tell you you do not need a tool yes it would make your life significantly easier if you had a tool the tool can be your alerting it can have automated flows and to do all these things there's a lot of great things that come associated with the tool now we don't have a tool the point of this

demo was to look at um tools that we have readily available to us so um operating system tools we have powershell we have outlook we have word we have excel you may have other tools within your environment that your organization has already purchased that you're able to leverage maybe you have jira maybe you have other tools like that that you could possibly leverage in order to be able to automate your processes so um automation when you're being creative it all starts with an idea in order to get to the point that i was going to be able to build automation it all started with an idea what are the things that are constants in the program

and how can i automate that so um i know i need a form i know i need an email i know i need to get the email back and i need to review the findings and i need to send something to the business so all of these steps are constants within my program that i know i'm going to need to have there and so um my idea started on a white board and if you work in technology or any sort of space like that your ideas almost always generate off of a whiteboard um except times like now when we're at home i don't have a whiteboard i have a cat and he sure isn't gonna help me figure out these

ideas um so you have to be creative with your solution you have to think outside the box and do all these other things to make your program um the best that you can get it so with that we're gonna jump into the demo all right so i have a demo here for you guys um the tool that i decided to leverage was microsoft teams i built a channel in there that could highlight third party risk management so could i create a central spot for all of our employees to go to when they need to onboard a vendor and i thought what teams is awesome it's the best thing that we could probably use and a lot of

organizations have been transitioning over to leveraging teams so within teams you can also create a sharepoint for the purposes of the presentation i did not do a sharepoint um today i just pointed that out that you have that option if you so choose um so we're going to go back to teams here and we're going to look at how i set up third party risk management within here and you'll see that i set up the scoping form so if you recall that very first step that i had mentioned was scoping what are the things that you need to know to be able to assess this vendor and do it right so uh you have the vendor scoping form

vendor scoping form identifies who's the vendor owner who we're contacting the contacts email so we can email them scope of services that they're providing and in this case they're providing stuff that wasn't overly expressive i know will they store transmit process data what kind of classification of data will they have access to how we're transmitting it all of those basic scoping questions that you're going to want to understand for your vendor uh we'll do that as part of the scoping form so we'll hit submit and when you hit submit what it will do is it'll send it to your email so whoever you have that form set up to you maybe it's a grc team maybe it's security whoever

it is you'll have it um come into your inbox so right away you get a notification hey we have this vendor that we need to process it gives you all the information right there so all you got to do is click into the form you'll be able to see all the analytics associated with it and be able to at a quick glance see what this vendor's about um what i'm going to do is i'm going to pull it down to excel and the reason i'm doing this is a lot of my automation was built into excel just because i thought it would be easier to use the risk scoring in that way so whenever you pull down your scoping

information it um it pulls it down in that excel spreadsheet that will go back to you here in a second um so third-party scoping details i wanted to pull those in so i think it may be a little bit hard to see on the screen but this excel spreadsheet has vendor scoping a questionnaire it has the scorecard so all of these different things that i want to keep in one central spot for our vendors i wanted to do this intentionally because i don't like clicking 50 million different spots to try to find information about a vendor i want to be able to go to one spot and get all the information that i need about that vendor um and when you work

in the grc space what you'll see a lot is you get a lot of artifacts you have a lot of pieces of information floating around everywhere so um path of least resistance was putting it all in one document so that way i have a central repository of that particular vendor so we'll continue to fill out the spreadsheet right now all i have a bunch of errors in this document that'll get fixed in it here in a second we have an assessment so you will see this again assessment has control references the questions the risk associated with the vendor to make my life easier again i'm really about making my life easier here can i have the risk already populated in

here so that it just pulls somewhere else can i have the risk scoring can i auto score can i do all these things can i make my life easier through automation in this tool and the answer is yes you can make your life easier it just takes a little upfront work you have to be willing to put in that time but the time is worth the return on investment of minimizing it each and every time that you're assessing these vendors so what i'm going to do now is use the microsoft forums to pull in this information into the spreadsheet so that way i have it in that central spot and what i'm going to do

is i'm going to use macros in order to be able to do it so uh i'm going to go back and go to the vendor scoping and i'm going to use macros to pull that information in so now i have all the things that i need to have and i have the vendor contact information i have all the things um i'm gonna be working with dunder mifflin to uh do this risk assessment so we all know that michael scott does not know how to secure his company or run his company so i'm kind of curious as to what kind of security issues will come back on their questionnaire but you'll see here i used a macro to

generate this email what it did is it automatically pulled in the risk assessment questionnaire it auto populated with the information that i needed and auto populated with the person or individual i wanted cc'd um the only thing i needed to do was put the vendor contact information in there so um now i will send it out and um the third party will get this information let's see third party gets the information they are going to complete the questionnaire so um let's fast forward just a little bit here so um the vendor is going to review their questions do you have bone management do you have patch program in place do you have asset management do you maintain flow diagrams

do you have an information security policy and um do you understand all of your critical business functions and so that's within the questionnaire one other thing that i also like to do as part of my questionnaire is to facilitate it or make it a little bit easier on the third parties is providing additional information i am super mindful that the third parties that we're talking to often it's just maybe an i.t help desk person or a sales representative or someone that may not have a security background and so the goal of additional information is how can i better enable that business to return my questionnaire back to me um because a lot of times what we'll

have is vendors not completing the questionnaire or they linger on it for a really long time so what are all the things that i can make do to make my life easier i'm not emailing them a bunch of times they're returning it quicker um and still hitting that path of least resistance to the thing that i want to get done with just assessing their risk so um we have that in here next we'll provide responses i don't think we need to watch typing them in here but you can see they're going to mark no on some things and they're going to provide some responses and then what they'll do is they will email it back to me

so i'll email back say hey here's my scores and so um let's see okay there we go so now i have received the questionnaire back what you could do you couldn't save it save it to your desktop or wherever or you could have a macro setup in outlook to auto download it for you into the repository that you want taking a couple additional steps out of it just to make it easier for you and then it will auto pop up so that way you can pull the information in um so now what you want to do is make sure that the responses get into the questionnaire now i'm going to put a disclaimer out here this

video that i recorded for automation i recorded it at the tail end of 2019 um at the last conference that i actually gave on this topic now since then during 2020 and a little bit of 2021 um i have since improved on this particular questionnaire where it does not make sense to pull in the responses rose what were you thinking it makes no sense um so now what i have done is i i've developed a brand new hidden sheet still the same premise here that we have the restoring however the sheet is hidden and it's protected so that way it's the same questionnaire being sent to the vendor and when i receive it back i don't need to pull in their scores i

don't need to do anything else because the only thing i need to do is unhide the sheet and it already tells me if their score is acceptable or not um so as you work on your automation you're going to find where you're going to be able to improve and you're going to think man that was definitely a first revision who qade this for me here's the second version let's streamline this to make it a little bit easier on ourselves so we're going to pull this information in you can use macros to do it so anywhere possible use macros it will make your life easier the scoring here if they had a positive response is going to

equal zero meaning they don't need a score for it or if they have a negative response it will generate a score and it's going to give them an overall score so here's the scorecard just demonstrating the score pulled over they have a medium um and then we're also going to pull in their identified wrist so what are the things that came out of the risk assessment that um they are going to have associated with this vendor so fast forwarding just a little bit what you can also do i think i moved a little too quick you can pdf this document so you'll see it pops out a pdf here's all the things so uh pdf just dumps to your desktop or

wherever you want it to you when you run that macro so that's what the demo looks like um like i said you really can use all these different tools to build automation into your process all right so um we also have an item that we don't talk about too much but i do want to talk about as part of third party risk management and that is reverse third party risk management and you're probably thinking what the heck rows what is that i have no idea what you're talking about reverse third party risk management is your customers sending questionnaires to your organization so let's say your organization provides software to other companies well you are going to

be assessed for your security controls as part of their ongoing compliance and so i just refer to that as reverse third party risk management because i haven't thought of a better way to call it um so with reverse third party risk management you want to reduce the burden of incoming questionnaires meaning you don't want to spend a bunch of time answering all these different questionnaires you want to try to have a library of responses um you want to minimize your response time because your third parties like i mentioned they they want these questionnaires and they want them back the same way that you want it with your program so you want to be mindful of

that um and you also want to build your reverse third party risk management in conjunction with your governance documents um another aspect of third party risk management or reverse third party risk management is having your company get certified say iso 27001 you want to have information security management system um you can use that to prove to show how secure your organization is and you know demonstrate that and maybe third parties would be okay with just accepting that sort of certification all right so um that's it oh my gosh i threw so much information at you guys um i sincerely appreciate everybody for joining today um you can connect with me on any of these avenues they're all still accurate um

ping me on the side if you want to be able to talk about anything related to third party risk management i am always very happy to talk about it it's one of my favorite topics and i've been dealing with it for quite a few years now so with that thank you guys and hopefully you learned something today bye