Third Party Security Management (TSM)
The last decade has seen a phenomenal change in the sourcing patterns of an organization. Organizations are increasingly dependent on External Service Providers (ESPs) for bridging the gaps in their skills and competence, for saving the costs, for augmenting capabilities to improve scalability, managing their service levels requirements and making business operations lean and efficient. The process of globalization creates multiple opportunities for global sourcing that promise maximum benefits. A new generation organization is characterized by its dependence on ESPs, and its extended boundaries that include its partners, vendors and service providers. The extended organization tries to provide seamless access to the entities that are out of the trusted boundaries of an organization. External parties and their employees, get access to critical IT systems of an organization. The data, on which organizations nowadays critically rely for their growth, could go in the hands of a service provider’s employee. It could be an organization’s Intellectual Property or personal information of its customers. This poses a critical challenge in regard to the liability of an ESP and its employees towards the end customers of the organization. This necessitates a definite set of security measures that provides an assurance that the data in the hands of ESPs is safe, and that the organization has adequate measures deployed to address security issues that arise from ESPs.
The discipline of security ‘Third Party Security Management (TSM)’ offers an organization the capability to manage security issues arising from its ESPs. In a global sourcing environment, TSM plays a crucial role in establishing a trust relationship between entities such as an organization seeking to avail the services, end customers of the organization, service providers, and regulatory bodies that may intervene for the protection of end user’s privacy. From a service provider’s perspective, security should be a hygiene factor, which provides assurance to the entities that have an interest in the relationship with its clients. DSCI believes that as an organization’s outsourcing will be on the rise, TSM provides a means to balance the risks that arise out of it. DSF pays close attention to this discipline of security as part of the end goal of data security. TSM has a critical role to play. DSCI Best Practices represent contemporary understanding, approaches, trends, and practices that global organizations are increasingly adopting. The practices would help organizations establish a mature Third Party Security Management function.
- Create an inventory of business services that use a third party or external service provider
- Map all the legal and compliance requirements to the business processes that uses external service providers
- For each of the service type, map the type of data — customer data, employee data, health and financial data, intellectual property information, etc.
- Make an inventory of the security requirements of each type of service that is outsourced — requirements such as physical security, infrastructure security, data security, personnel security, business continuity etc.
- Identify the assurance requirements of each type of service — risk management, security auditing and testing, security monitoring, incident management, breach notification
- Map all the security assurance processes that run between the organization and its service
- Create a complete visibility over the security capabilities of all the external service providers — security awareness level, technology used, processes followed, standards implemented and security certifications obtained
- Identify and make an inventory of all scenarios that may compromise the security of organization or lead to loss of data. Assess the applicability of these scenarios with all vendor relationships
- Assign a security rating to all the external service providers based on the criticality of the service, security preparedness, technology deployed, security process maturity and the results of security assessment
- Create an inventory of the contractual elements that are attributed to security and privacy from all the external service providers contracts
- Create an inventory of all the elements of vendor management or sourcing functions
- Create a strategic roadmap for Third Party Security Management (TSM) considering strategic options such as: Inclusion of security and privacy in a sourcing function; Use of techniques such as vendor scorecard, vendor security rating and dashboard; Inclusion of security, privacy and continuity management in Service Providers’ Contracts and Agreement; Adoption of assurance process portfolio approach: governance, planning, designing & architecture, protection, operation and collaboration; Automation of vendor compliance and risk management: Use of Governance, Risk and Compliance (GRC) products, that offer dashboards, mapping, management of workflows and collaboration
- Ensure that the security requirements for each type of service to be sourced are defined based on what the service delivers, perceived threats or risks, possible data leakage, and compliance exposure
- Create a profile of suppliers and partners, tier them according to their risk profiles & business impact
- Ensure that a significant level of resources and efforts are allocated for the security evaluation of vendors, and are proportional to the business impact
- Analyze the security capability of the service provider
- Verify that the service provider has the capabilities to adequately meet data protectionneeds
- Define a strategic and tactical guidance for the service provider or vendor evaluation and due diligence as part of the commencement of a project or service
- Ensure that the service providers can deliver adequate security as defined by the enterprise’s established policies
- Ensure that a Third Party Access Policy is formulated and deployed for provisioning and managing access to the service provider’s employee.
- Make an inventory of specific restrictions, special permission, or specific measures that need to be imposed on service provider for each type of service
- Ensure that the adequate measures are implemented, specific to an individual compliance requirement, to create a compliance demonstration capability of the service provider.
- Establish a formal process with the legal, procurement and sourcing groups to ensure that security-related contract terms are a part of every sourcing decision before the deal has been made.
- Ensure that the compliance liabilities and responsibilities are properly articulated to the service provider, and stated in the contractual terms.
- Ensure that a flexibility is maintained in the contracts to adopt changes in the security requirements and procedures
- Ensure that the performance reporting procedures are deployed to get an assurance over the enforcement of contractual terms
- Perform a periodic review of the service provider’s security procedures. It can be done by a combination of methods
- Ensure that a proper incident management process is implemented at the service provider, and any security breach is immediately notified
- Establish a Standard Operating Procedure (SOP) to manage the security and data breach. Liaison with the law enforcement to understand the legal framework and process of legal proceedings or actions
- Ensure that the sourcing function liaise between the corporate compliance, audit, legal and HR management teams, for an enhanced security
- Portfolio of business services from security perspective
- Visibility over data, data environment, data access and operations in each sourcing relationship
- Integration of security in vendor life cycle processes
- Integration of vendor security operations with enterprise security management processes
- Coverage of TSM program
- Compliance demonstration capabilities of sourcing relationships
- Ability of vendor contracts to enforce security and fixing liability
- Adequacy of resources and efforts allocated to TSM
- Excellence of vendor incident management processes
- Collaboration and coordination for TSM
Please allow pop-up in your internet browser to download DSF
DSCI Security Framework