Back to Playbook Visit Our Blog

Capability
Fourth-Party Awareness

Know third-party portfolio service provider dependencies -- your fourth parties. Maintain at least a high level risk awareness of significant fourth parties where you have third-party portfolio concentration risk.

What

Know third-party portfolio service providers - your fourth parties. Maintain at least a high level risk awareness of significant fourth-parties where you have third-party portfolio concentration risk.

Why

Mapping service providers to your third parties enables you to understand your service provider concentration risk. If Dynamic Network Services or AWS Ireland goes down, which of my third parties are impacted?

Identifying significant fourth parties also enables you to develop control assessment standards for assessing third party use of significant providers.

How

This capability is facilitated through implementation of the continous surface risk assessment capability.

Identify the hosting providers of third-party systems using network registration information associated with each third-party system ip address. Monitor significant fourth parties for security breaches and service outages that may impact your third parties.

Develop and enforce control assessment standards for assessing third party use of significant fourth parties. Facilitate conducting expansive assessment of significant fourth parties in cases where the fourth party is also your third party.

Practice Status Adoption
Know the service providers used by your third parties. Pioneering 17%
Monitor significant fourth parties for material security breaches or operational outages. Pioneering 7%
Develop and enforce control assessment standards for assessing third party use of significant fourth parties. No Data No Data
Conduct expansive assessments of material fourth parties in cases where the fourth party is also your third party. Pioneering 7%
Maintain a list of service providers that are not allowed for use. These might include hosting providers that may not provide sufficient security capabilities, such as ‘free web hosting’ providers, or that provide ‘bullet proof’ hosting for potentially unethical use. Pioneering 3%