At first sight this question might appear facile or answering itself. “Surely a Third-Party Security Assessment is an assessment of the security of a Third-Party”. There are many different approaches and solutions to 3rd Party Security Assessments, though. We think the topic warrants a deeper look. I should point out that this blog is a layman’s opinion and not a legally authoritative definition.
What is a Third Party?
Lets start by agreeing what we mean by a 3rd Party, using a notional company “Acme Widgets Inc” as an example. The Collins Dictionary states that “A third party is someone who is not one of the main people involved in a business agreement or legal case, but who is involved in it in a minor role”. In the context of this question a 3rd Party is a person or entity that contributes to, or assists Acme Widgets (the 2nd Party) in the delivery of their product or service to their customers or audience (the 1st parties). Enough of the legalese though! Suppliers are third parties. Vendors who provide the tools or machines used by a company to make its products are third parties.
Why are Third Parties relevant?
Third Parties are important because the dependencies create risks. If Acme Widgets isn't able to deliver its products to customers without a particular supplier then there is a resilience risk. Acme Widgets may need ensure its suppliers obey certain laws and regulations (for instance anti-money laundering, people trafficking, privacy etc); these create compliance or regulatory risks.
Today, almost all interactions third parties involve exchanging information and connecting systems up. Before you claim that “We don’t allow any of our suppliers to connect with our systems” I can state with confidence that you are wrong. If you exchange emails you are connecting systems up. Systems are connected if employees use a supplier portal or web-application with the same device that they are accessing corporate information. These interconnections and exchanges of sensitive information create risks to Acme’s business. To understand these risks Acme Widgets needs to understand how good their suppliers’ security is.
What is a Good Security Assessment
So Acme Widgets recognises, at least in principle, that it needs to understand how seriously its suppliers take their own security. It needs to assess its suppliers' security; or conduct a Security Assessment.
This isn't as easy as reviewing its own security. The situation is more opaque. Not many companies make their security policies, processes or controls visible for the public to see. So what makes a security assessment good? We identify five key characteristics that are critical for any Security Assessment. To illustrated these we will look at a notional supplier to Acme Widgets called “Business Services Limited” or BSL.
- Relevant. The assessment needs to align with the context. If BSL is just supplying Acme Widgets with paperclips then the risk should be relatively low. In contrast, if BSL is providing an application to handle the details of all of Acme Widgets’ customers the risk will be higher. The assessment and its recommendations should not just review BSL. It should review how BSL delivers product or service to Acme. At the more benign end of the spectrum Acme may only need to give the supplier a cursory glance to check that they can be relied upon. At the other end, Acme needs to understand how BSL actually conducts itself. What policies and processes it has in place, and how well trained and equipped its employees are.
- Efficient. Efficiency is always a factor in business, and this remains the case with security assessments. If Acme Widgets spends too much of its time doing security assessments it won’t be able to do anything to reduce the risks identified.
- Accurate. It may be obvious that the assessment needs to be accurate, but what do we mean by "accurate". It needs to be based on evidence, so that any conclusions are not subjective and open to debate. Evidence should be reliable, so if BSL provides the evidence then where possible it should be validated by another source. The way that evidence is interpreted should be consistent. Conclusions should be the result of knowledge and judgement. There are often several different good ways and bad ways of implementing security. So to get the most accurate assessment, suitably experienced humans should contribute to the judgement.
- Timely. Nothing remains the same for long. The relationship that Acme Widgets has with BSL will change over time. The way that BSL develops and delivers its services will evolve. In the world of information and cyber security, the threats are constantly evolving. So the assessment needs to be sufficiently current – in utopia this would be continuously reassessed in near real time.
- Actionable. But above all Acme Widgets should be able to act on the results of the assessment. If an assessment only describes BSL's weaknesses, then the only action that Acme Widgets may be able to take is to terminate their contract with BSL. Frequently this is not a viable option where suppliers are critical to the business model. Even if the supplier could be replaced, it would take time and cause disruption to Acme’s business. One of the most important aspects of a good security assessment are the evidenced actions that it offers to Acme Widgets.
Let's return to the original question. It is perhaps not about a dictionary definition and is more about what makes an effective security assessment of a third party. This is important. When we look at how organisations do security assessments, we frequently find one or more of the characteristics are missing. This is why we developed our COBRA platform and service - because if its done badly it can be as disastrous as not doing it at all. A discussion about our approach - how we don’t just tick all the boxes but ace them - will be the topic of a future blog.