1. © 2023 TrustArc Inc. Proprietary and Confidential Information.
Mitigating Third-Party Risks:
Best Practices for CISOs in
Ensuring Robust Security
and Privacy Measures

2. 2
Speakers
Paul Iagnocco
Customer Enablement Lead &
Principal, Data Privacy,
TrustArc
Martin Gomberg
CISSP, CIPP/E
a.k.a. The Privacy CIO
Author CISO Redefined

3. Agenda
○ Whatʼs the current state of risk management?
○ Who owns third-party risk in the organization?
○ What are we solving for?
○ What are organizational implications around third-party risk?
○ What are the unique implications for Cloud Processing?
○ Questions & Answers

4. What’s the
current state of
risk management?

5. 5
Privilege is trust, and trust is the cost of doing business.
Our accountability and risk has increased even as our most consequential
data moves out of our control, and a cautious trust is placed in others.
Trust increasingly involves more parties, spans technologies,
spans geographies, changing regulations, and legal jurisdictions.
Our protection is paper, contracts, or TOS check boxes, less technology,
and with less visibility to risks and effectiveness of controls.
We build indemnification in contracts as an insurance, but it is an acknowledgement of the dirt
in the system. There are things about our third-party relationships that we simply cannot know.

6. Who owns
third-party risk in
the organization?

7. 7
Who should own third-party risk management (TPRM)?
• TPRM is a growing strategic priority in most organizations
• TPRM is often decentralized due to size, complexity and budgetary constraints
• There are challenges:
○ Lack of a comprehensive approach
○ Siloed focus on specific risks
○ Insufficient and inefficient for collaboration
○ Missed opportunities

8. 8
Third-party risk touches an organization everywhere
● Executives and line of business management make strategic decisions about aligning, merging,
acquiring, or partnering with other businesses.
● Line of business and procurement managers in acquiring products or services.
● Compliance scrutinizes partners, supply chain and proposed transactions for red flags.
● Legal in the effectiveness and protection of our contracts.
● Finance and HR on the cost and people aspects of acquiring, relocating, and integrating talent.
● IT in the integration of networks and the movement of data.
● InfoSec in establishing defenses against malicious or unintentional introduction of threats.
● Privacy the movement of data between individuals, entities, and countries and whether the flows of
data conform to local regulations.
Who should own third-party risk management (TPRM)?

9. 9
Stakeholders and Roles
Stakeholders
in Adopting
Third-Party
Relationships
Business
and
Executive
Legal & Human
Resources
Procurement
Operations
& Continuity
Finance
Security
Contracts
Privacy
and Risk
Affiliates &
Partnerships
Service
Procurement
Product
Purchase
Contractors
Merger
Outsourcing
Acquisition
Fraud
Prevention
● Recruitment
● Advisory
● Ops Management
● Security
Prohibited Entities
Entities Under
Sanctions
● Consultants
● Temps
● Vendors
● Brokers
● Suppliers
● Manufacturing
● Sales
● Distribution & Fulfill
● Development
● Strategic
● Infrastructure
● As a service
● Commodity

10. What are we
solving for?

11. 11
But is there really such a thing as a third-party risk?
● It is third-party risk if it originates from, channels through, or impacts a partner.
● Modern business does not operate in a vacuum. Each component of our value chain in turn
participates with others in a chain of dependencies. There is no risk that is not third-party
risk to someone. There is nothing that we do that does not involve third or n tier parties.
● We are a third-party to someone in our value chain. The same risks that impact us,
and through us threaten other parties, are the same risks that potentially impact our partners,
and through them, threaten us.
● We need to require of them, what we require of us.

12. INTERNAL ONLY
We and our
network of
partners, theirs, the
technologies we
use, and the
environment in
which we operate
together are a
system, and one
part exposed…
risks others.
… Many companies, even well-known
companies, have not undertaken, completed,
or maintained an inventory and catalog of
the location and classification of the data in
their:
1. environment, or;
2. their material risks.
And therefore have not assessed the value
and sensitivity, or the business
confidentiality, of the data assets they
collect, store or process in house, or are held,
or are serviced on their behalf by
third-parties.

13. What are
organizational
implications around
third-party risk?

14. 14
When does a third-party risk become core to our risk?
● It is core to our risk if our partners cannot sustain an adequately protected environment.
● If an impact to them disrupts their ability to meet their obligations to us.
● If it impacts them financially shaking our confidence in the relationship.
● If our clients lose trust in us because of the third-party relationship.
● If through accident, carelessness, or malicious acts they are a conduit of attack.
● If our partners violation of compliance with contracts, laws, or duty of care impacts our
clientʼs, their data, or their trust of us.
● In any violation of the law.

15. 15
Due Diligence and Red Flags
Assessing an Organization Assessing a Product or Service
Oversight and accountability Focus, expertise and track record
Leadership and vision Capacity to deliver and commitment to product
Environment and culture Product or service quality and direction
Controls and metrics Planned product support and investment
Policies and practices Staffing, skills & turnover
Technology and infrastructure Technology, Privacy, Operations & Continuity
Compliance and reporting Technology Flags (Obsolescence, Proprietary, Commercial, IP ownership)
Awareness and education Hardware and software verified and cleared sourcing
Reputation and references Conformance to standards and regulation
Financial Health Cost, and payment terms
Supply Chain Integrity Contract and favorability of terms

16. 16
Business is not static, for us, or for
third-party partners. With business
change, risk moves. Static assessments
are a statement in time. Validity of the
assessment changes because business
is not static, and risk moves. This is true
for our third-party and n-tier partners as
much as it is for ourselves.
Assessment is a reiterative process of
risk classification, address and
review.
Business
Objectives
Material risks
to objectives
Mitigating
Controls
Validation of
Effectiveness
Ongoing Monitoring Internal and Third-Party Risk

17. 17
Regardless of industry, structure, or
relationship, and whether a product,
service, or behavior, and whether
effectiveness is initially assessed
through inquiry, attestation, forms
or checklist, contract, technology,
or onsite audit,
a cadence for periodic review should
be established, the frequency of
sampling or revisitation consistent
with the risk, and with risk tolerance.
Presence of
Controls
Adequacy
of Controls
Frequency
of Use or
Testing
Validation of
Effectiveness
Four Conditions of Effectiveness – Identify, Address, Verify and Prove

18. 18
When entering into a third-party Data Processing Agreement (DPA) for cloud
services, important considerations include:
● Defining engagement specifics
● Ensuring GDPR compliance (Article 28)
● Establishing roles
● Specifying instructions
● Adhering to standards
● Detailing data aspects
● Outlining procedures
● Defining processes for data breach and Data Subject Request support.
● Conformance with CISPE (Code of Conduct for Cloud Providers) or other professional organization
Cloud Processing

19. Q&A

20. 20
TrustArc TPRM Solutions
trustarc.com/assessment-manager/ trustarc.com/risk-profile/

21. © 2023 TrustArc Inc. Proprietary and Confidential Information.
Contact Information
Visit http://www.trustarc.com for more
information on how TrustArc can help.