More and more, Secureworks is seeing organizations outsource and partner with third parties to handle sensitive data or business processes on their behalf.
Ensuring those organizations handle that data securely and align to your security policies and levels of risk tolerance is an important component of information security that must be accounted for.
In this video, Hadi Hosn, Global Consulting Solutions Lead covers Secureworks' Third Party Security Management Methodology. This comprehensive methodology includes programmatic phases such as:
- Identifying third parties that pose risk
- Categorization of those parties
- Development of the assessment methodology for the third parties
- Carrying out the assessments
- Reporting on the results
TRANSCRIPT:
Hello. I’m Hadi Hosn. I head up the Security Strategy and GRC Consulting team for SecureWorks in EMEA. And today I’ll talk you through our Third Party Security Management Methodology.
More and more we see organizations outsource and partner with third parties to handle their sensitive information security data or business processes on their behalf. And ensuring they handle that data securely is a really important exercise that an organization needs to go through. SecureWorks has developed a strong methodology to help companies in their third party’s security management.
Our methodology is structured in a number of phases. The first phase is really trying to identify who the third parties are that the organizations are dealing with. This can be an exercise going through procurement, talking to the business unit leaders to identify the list of third party’s they work with.
The next activity is really to try and categorize those third parties. Categorization can be a number of different ways. Usually we apply a concept of where the third party is located geographically, what type of data they handle on behalf of the company and how strategic they are for the organization. That gives us the ability to identify the high, medium and low-risk third parties. So a high-risk third party could be an IT service provider for an organization. A low risk could potentially be a cleaning company that comes in once a day to clean the offices.
Once the categorization is completed, SecureWorks will work with the client to identify the assessment methodology for those third parties. This includes the questionnaires we will develop for each of the different categories, the way the third party will be engaged as a part of the due diligence process, what type of assessments we need to conduct and how the continuous assessment cycle will be carried out with the third party.
The assessment methodology will form the baseline of how the third parties will be assessed moving forward across the company. Additionally, we will go and do third party security assessments on behalf of the clients. So that’s the fourth phase which is really conducting on site security assessment visits of those high critically important third parties. Maybe sending out questionnaires for the medium risk third parties to assess how secure are they. And potentially the low risk, we might be able to accept that risk considering the size and amount of third parties that could be working with that client.
The next phase is really about reporting. It’s trying to bring back the reports from each of those assessments and consolidate that into a single view to show the client trends across its third party landscape. And to identify areas of improvement that can be consolidated across a number of different third parties.
So that really is our third party security management methodology.