All businesses rely on third-party service providers, and third-party risk management (TPRM) is nothing new. In fact, regulated industries like financial services and healthcare have long been required to test and report on the effectiveness of their vendor risk management programs.
However, recent cyber-attacks, such as the 2013 Target data breach, brought new focus to third-party cybersecurity risk, since the post-incident kill chain analysis pointed to malware that entered Target’s network through an insecure supplier. Since that widely publicized incident, boards, legal counsel and executive management at buyer firms have been seeking greater assurance that third-party risk is being adequately managed. As a result, in-house security teams have re-doubled their efforts to:
- Create information security standards for suppliers
- Identify and classify vendors according to risk
- Update contracts to ensure cyber issues are properly addressed
- Increase the rigor and frequency of self-assessments and on-site audits Similarly, firms that provide products and services to their customers are now facing new challenges as well: More frequent requests for self-assessments of security controls
- Requests for on-site audits
- Requests for audit reports from independent assessors
How Coalfire Can Help
Whether you are a vendor risk manager or supplier subject to your customer’s Third-Party Risk Management (TPRM) program, Coalfire can help.
Vendor Risk Management Services
We bring efficiencies and cost savings to the vendor risk management lifecycle. Our “trust, but verify” approach is based on a standardized approach that is adopted globally across a range of industries. Our services include:
Our TPRM Program Design and Development Service is based on the Shared Assessments Program recommendations for robust program development and helps you define the foundational concepts for starting a TRPM program from scratch. As a Shared Assessments member firm, we’ll help you:
- Build a core team
- Complete a full inventory of third party contractors
- Collect and standardize contracts
- Define vendor security requirements
- Select and implement TPRM software
- Implement, measure and report TPRM results to executive management
Through our Outsourced TPRM Services, we can also assist you with customizing a Standardized Information Gathering Questionnaire (SIG), analyzing and scoring responses, and working with your vendors on remediation activities. In addition, our assessors can perform on-site audits for third parties that require the extra level of assurance provided by inspection.
Service Provider Advisory Services
The service provider self-assessment process can be inefficient, time-consuming and costly.
Coalfire’s SIG assessment and remediation services take the burden off your security team and help you comply with the privacy, data security, and business resiliency requirements placed upon you by your customers. In addition, our AUP assessments and reports validate your SIG responses and provide your customers with independent assurance that you have complied with their standards.
Why Coalfire for Third-Party Risk Advisory
Since our founding in 2001, Coalfire has established itself as a pure-play, vendor-neutral cybersecurity advisory firm serving as a trusted advisor to executives, legal counsel, compliance managers and security practitioners across numerous industries.
Each Coalfire project is led by a credentialed, industry-savvy senior director and supported by consultants armed with the methodologies, proven proprietary frameworks, insights and know-how accumulated through service to over 1,400 clients annually. We’re skilled communicators who present our findings in business terms for truly actionable insights.
Along with our cyber risk advisory services, we help clients simplify their compliance processes. Our cyber risk advisors get to know your business and help you understand how to comply with regulations and leverage efforts across different compliance frameworks.