Here is a brief description of third-party risk management (TPRM), how to onboard third-party vendors, and what the role of a CISO is in this process. To know more about TPRM and information security management, click here: https://www.eccouncil.org/information-security-management/

1. Copyright EC-Council 2020. All Rights Reserved.​
Third-Party Risk Management

2. What Is Third-Party Risk Management?
Third-party risk assessment is the analysis of risk posed by
third-party vendors along an entire supply chain by
monitoring and managing interactions with them.

3. Importance of Third-Party Risk Assessment
• More secure business continuity plans.
• Greater organizational stability.
• Reduced costs.
• It lets you address potential risks with fewer resources and in less time.
• Gives you an opportunity to concentrate on your core business functions.
• Offers you a framework for your organization and your vendors.
• Enhances the integrity, confidentiality, and obtainability of your services.
• Drives financial and operational competences.
• Guarantees that the reputation and quality of your services and products are not ruined.

4. Third-Party Risks
• Regulatory, compliance and legal violations
• Breaches of systems and data
• Reputation damage
• Financial damage
• Operational risks
• Strategic risks
• Systemic events
• Geopolitical events

5. Questions to Ask While Onboarding New
Vendors
•How often security audits are performed.
•Credit history which includes liens and bankruptcies.
•The regularity of data backups.
•How security risks are handled.
•Maintenance of data security.
•The number and types of devices that are used for network
access.
•Reliability of delivering orders and services.

6. Security Checklist
 The vendor has a security rating that meets your expectations.
 The vendor invests in data protection and information security
controls.
 The security rating of the vendor has been benchmarked against
their industry.
 The vendor uses access controls like RBAC.
 The vendor has an IT system outline.
 The vendor is ready to complete a risk assessment checklist.
 The vendor does not have a history of data breaches.
 The penetration testing results for the vendor are acceptable.
 The employees of the vendor do routine cybersecurity awareness
training.
 You visited the vendor’s location to check physical security.
 The vendor provides an IT system outline.

7. Role of a CISO to Ensure Secure Onboarding
of Vendors
Risk & Compliance
A CISO deals with how
information security affects legal
requirements, and they are also
responsible for ensuring the
organization is in compliance with
both internal and external policies.
Furthermore, a CISO helps build
full-fledged vendor risk
management programs and
internal monitoring programs to
make sure information security
controls are functioning as they
should.
Technical Operations
The CISO of any organization is
responsible for running
penetration tests, vulnerability
scans, web application security
assessments, and several other
technical operations. They help to
ensure that the software and
hardware configurations in both
their organization and the
vendor’s organization is always
compliant with the company and
regulatory standards.
Internal & Vendor
Communication
CISOs not only manage the
information security team, but they
also communicate and play a role
in several other teams. This is
why they need to have good
relationships and visibility into
each vendor they are working
with. They must also check in with
their team members constantly to
ensure all information security
issues are addressed.

8. THANK YOU!