This is the second of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the ongoing monitoring process.
Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.
A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today.
This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.
Five Necessities of Security Monitoring
Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes . . .
[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]