Periodically execute a privileged-access assessment of each third party. Tune the assessment plan based on third-party inherent risk and known strengths and weaknesses.
Privileged-access assessments provide a comprehensive understanding of the security risk management program from which you can best measure risk exposure and prescribe recommendations for tactical and systemic performance improvement.
Prepare for the assessment by reviewing prior assessments and continuous surface assessment data. Familiarize yourself with the organization’s IT profile, including hosting providers, hosting geo-locations, and technology stack. Modify the assessment plan to go deep into areas of control weakness and back off on areas of strength.
Use the third party representations to understand how they have invested in risk-management people, processes, and technology. Use the objective continuous surface assessment data to inform you of how well they have implemented and are operating their risk-management program. Also, use the surface assessment data to validate third-party claims, calling out technical gaps and identifying root cause issues.
|Conduct third-party enterprise assessments according to established standards and methodology.||Common||90%|
|Discuss the status of open issues from previous assessments with the third party.||Common||80%|
|Adjust the assessment plan based on the results of prior third-party assessment engagements.||Common||53%|
|Adjust the assessment plan based on the continuous surface assessment results.||Pioneering||17%|