1. Create and Maintain an Inventory of Partners
It seems obvious, but before you can manage the risk, you must identify it. That means identifying the third parties that may present a risk of data breach, compliance failure, unauthorized disclosure or system failure. When IT is managing the relationship, that makes it easy. However, the presence of shadow IT means that you may need to cast a wider net. Your purchasing department can be a key ally here, since most third parties are being paid.
However, don’t think that outsourcing is the only game in town. Software suppliers, even open-source ones, and on-premises Internet of Things devices must be included. If your environmental systems are all dependent on cloud-connected thermostats, what risks are you taking on if you can no longer control heating, ventilation and air conditioning in patient care areas?
2. Treat TPRM as an Ongoing Relationship
Cloud Software as a Service and Infrastructure as a Service providers will claim to have fully baked and experienced security programs that can feed into your own risk management. In reality, SaaS and IaaS have moved at the speed of the internet, and there’s still progress to be made in fully integrating with customers’ TPRM programs.
Everyone is learning and gaining experience, which means that you need to keep in touch with your major partners to understand what’s changing on their end and how they are maturing and evolving their own security and risk management programs.
An important step here is to prioritize third parties: Identify the ones that present the biggest potential exposure and focus on those vendors, keep channels open, schedule annual workshops to learn what’s new and make sure that you fit in the big rocks first.
Realize that third parties are already prone to feel questionnaire fatigue, which means you’ll get real answers and real insights only when you engage directly.
3. Holistically Integrate TPRM into Your Security Strategy
Healthcare uses the term “holistic” to define a more complete way to deliver patient care. Use some of these holistic principles and treat TPRM as just another flavor of risk management. Don’t consider third parties a special case: They need to be fully part of your risk management evaluation, reporting and mitigation plans.
4. Be Proactive with Monitoring, Analytics and Escalation
Saying “TPRM monitoring is important” doesn’t solve the difficult problem of how to do monitoring, analysis and alerting on a third party’s infrastructure. But just because something is hard doesn’t mean it’s impossible. This will require ingenuity, exploration and even some experimentation as you discover what is available, then integrate it into existing risk management elements, such as your security information and event management system. Be discerning in what you use: Third parties often overwhelm with useless information, making it hard to dig out the useful nuggets.