1. Create and Maintain an Inventory of Partners
Before you can manage third-party risks, you must identify those that present a risk of data breach, compliance failure, unauthorized disclosure or system failure. If IT is managing the relationship, it’s easier. However, the presence of shadow IT requires you to cast a wider net. Your purchasing department can be a key ally here because most third parties are being paid. On-premises Internet of Things devices and supplied software — even if it’s open-source — must be included.
2. Treat TPRM as an Ongoing Relationship
Stay connected with your major partners to understand what’s changing on their end and how their own security and risk management programs are evolving. Identify the third parties that present the biggest potential exposure, and focus on those vendors. Keep channels open, schedule annual workshops to learn what’s new, and make sure that you complete the most important projects first.
3. Holistically Integrate TPRM into Your Security Strategy
The term “holistic” means to deal with a whole or an integrated system — not with its parts individually. A holistic approach treats TPRM as just another flavor of risk management and doesn’t consider third parties a special case. They need to be fully part of your risk management evaluation, reporting and mitigation plans.
4. Be Proactive with Monitoring, Analytics and Escalation
TPRM monitoring requires ingenuity, exploration and even some experimentation as you discover what is available, then integrate it into existing risk management elements, such as your security information and event management system. Be discerning in what you use. Third parties often overwhelm with useless information, making it hard to dig out the valuable nuggets.