This article is written by Steve Cagle, Chief Executive Officer at Clearwater, a Cyberwrite partner
Whether you’re new to cybersecurity and building a program for your organization or you’re an experienced InfoSec pro looking to mature your existing program, risk assessment frameworks are key.
A risk assessment framework is a way to understand and evaluate security risks for your organization. These frameworks establish a starting point for risk assessments so you can grow and mature your processes over time.
A risk assessment framework can also serve as a tool to help you efficiently communicate risks to your team members, C-suite executives, and key stakeholders—in a way that everyone understands, regardless of technical expertise. As well, these frameworks can help align your security goals with existing operational goals and objectives.
Here are some examples of risk assessment frameworks:
- NIST Risk Management Framework
- Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
- Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk Management Framework
- ISO 31000 (series)
- Control Objectives for Information and Related Technology (COBIT)
- Threat Agent Risk Assessment (TARA)
- Factor Analysis of Information Risk (FAIR)
While each of these frameworks takes different approaches to risk assessments, most carry a common thread:
- Identify risks
- Measure and assess the impact of those risks
- Prioritize risks
- Create an action plan to mitigate risks
- Document your response
- Review, follow up, and program governance
Risk Assessment Types
Risk assessments can be applied to a variety of business and technical risks. Here are a few examples:
- Information technology risks, including assets and vulnerabilities
- Operational risks
- Financial risks
- Strategic risks
- Compliance risks
You can use these risk assessment types to build an overall risk profile for your organization so you can make plans to mitigate those risks and improve operational longevity and success.
An often-overlooked risk assessment category is third-party or vendor. While responsibility (and related fines and penalties) for these risks are becoming increasingly prevalent in regulatory and compliance standards, many organizations aren’t sure how to tackle them.
Applying Risk Assessment Frameworks to Vendor Risks
While organizations generally have good standards for identifying and mitigating internal risks, processes historically haven’t been as in-depth for suppliers and outside vendors.
Without equivalent risk metrics and processes for your supply chain, it becomes increasingly difficult to ensure your sensitive information is protected and your organization doesn’t become at risk for data breaches or other attacks through your outside partners.
According to Ponemon’s “The Economic Impact of Third-Party Risk Management in Healthcare” study, third-party risk assessments can be challenging because, on average, 3.21 full-time employees are dedicated to vendor risk assessments spending about 513 hours each month to complete assessments. That’s a lot of work for a handful of people, meaning mistakes can be made and assessments may not be as accurate as you’d like.
And while the workload for employees grows, so do breaches that originate with vendors. According to this same report, almost 60% of organizations have experienced one or more third-party breaches during the past two years.
So what can help you better embrace risk assessments for third parties so you can lessen risks to your organization? This is where risk assessment frameworks play an important role.
Why You Need a Risk Assessment Framework for Vendors
Some organizations do a decent job conducting risk assessment for new vendor contracts. The ones who do that best include risk mitigation and related privacy expectations in contracts, service level agreements (SLAs) and business associate agreements (BAAs).
But unfortunately, that’s often both the beginning and end of these assessments—unless it’s a compliance standard, and even then, it’s generally only conducted annually or for renewals, even though the risk environment is fluid and constantly changing.
According to the Ponemon report, only about 40% of organizations say they find value in information they get from doing risk assessments and for those that do understand when the assessments expose significant risks, 21% of assessments result in requiring remediation before a contract goes into effect and only 11% will disqualify a vendor because of risk.
Risk assessment frameworks can help ensure you’re doing routine risk assessments and that your assessments mature and change as your business evolves. That’s especially relevant because, according to Ponemon, existing risk practices for many organizations don’t keep pace with vendor risks and vulnerabilities. That could lead to breaches—and ultimately fines, penalties, and reputational damage—for your organization.
Frameworks can also ensure you are meeting your compliance requirements and so are your second- and third-tier vendors. Remember, if one of your suppliers has a breach, the fines and accountability issues will affect you, especially if you haven’t met your compliance standards.
Selecting a Risk Assessment Framework
We shared earlier some examples of risk assessment frameworks. Each framework is applicable to a variety of standards and levels. So how do you pick the right one for your organization?
First, you should understand your organization’s objectives, your levels of acceptable risk, and what’s required from a compliance standpoint.
Acceptable risk is the amount of risk your organization is willing to accept once you’ve evaluated an event’s probability and anticipated impact. These risk targets are key in helping you protect your organization and make appropriate vendor selections, as well as guiding your vendor relationships over time.
In many cases, your program’s executive sponsor helps determine the level of acceptable risk and also facilitates decisions about when risks exceed that threshold.
As it relates to vendors, when doing an initial vendor assessment for a new contract, you may determine the level of risk is too high and therefore you would consider a different vendor. Or, your executive sponsor may determine the risk is there but it’s acceptable and would then work directly with the vendor to facilitate mitigation and follow up.
Executive sponsors also take on the responsibility of ending existing contracts or denying renewals when, on follow-up assessment, it’s determined the vendor isn’t meeting expectations or risk level has increased beyond what’s acceptable.
Once you’ve determined acceptable risk and compliance requirements, you should review a variety of risk assessment frameworks and see which one best aligns to your organizational objectives. Is the framework the right one for your industry? Does that framework support regulatory compliance?
You may decide components from more than one framework work best for your organization, so it may work to select components and build a customized framework.
For a free option, you may want to build your framework off recommendations from the National Institute of Standards and Technology (NIST). Or, if you’d like to become certified for your risk assessment strategies, you may prefer working with frameworks created by the International Standards Organization (ISO).
Vendor Risk Assessment Framework Levels
Regardless of which risk assessment framework you choose—or if you choose to customize your own model—there are three core levels you should include. You can begin with Level 1 and then build on to Levels 2 and 3.
Not sure where to begin? Your accounts payable (AP) vendor may be a good place to start. Evaluate your AP vendor based on these levels:
Framework Level 1
Level 1 begins with your initial vendor assessments. During this assessment you should:
- Evaluate the state of your existing programs and processes as they relate to your organization’s security and compliance goals and requirements
- Identify areas of improvement
- Conduct a complete inventory of your existing vendors, suppliers, and business associates
- Verify contracts to ensure that all necessary agreements are in place for your existing vendors such as BAAs, SLAs, and service use agreements.
- Ensure all of your vendor agreements clearly define your data privacy expectations and guidelines including how your data is used, stored, protected and transmitted, as well as processes for what happens if there is a data breach or disaster, and what will happen with your data when your contract ends (will all data be returned to you or will it be destroyed?)
- Categorize your vendors based on risk, from high to low. This ranking shouldn’t just be about the volume of data your supplier may access, but also:
- Nature and sensitivity of protected information access
- Which technical security controls are required and where the vendor is in meeting those standards
- Access and use of your data
Framework Level 2
At Level 2, you’ll embark on processes to find gaps and weaknesses in your vendors’ policies and processes and initiate steps for mitigation and remediation. This step should include:
- A vendor risk assessment or a business associate agreement with documentation
- An in-depth analysis of your vendor’s compliance and risks including:
- How the vendor responds to your assessment questions
- Relevant security reports including security operations center (SoC) and ISO audits, as well as data breach reports
- Review existing policies and procedures
- Review data governance
Framework Level 3
Level 3 evolves as your program evolves. This is where you’ll do ongoing vendor management including:
- Ongoing vendor monitoring
- Routine re-assessments and attestations, at a minimum of annually
- Utilizing software to help maintain and track your assessments and findings
- Conducting on-site audits, at least annually
The Future of Frameworks
While many compliance standards now include a vendor risk assessment or third-party guidelines, some organizations still struggle with creating and maturing effective risk management practices. Reviewing and adopting components from relative risk assessment frameworks can help.
You may also find it beneficial to use a cyber risk management software solution that can help you build your frameworks, manage your assessments, and follow up with a clear picture of your overall risk posture at any time.
Clearwater’s risk management solutions can help you:
- Define policies and procedures to monitor vendors
- Consolidate existing internal vendor profile data and contracts into a single data repository
- Close critical vendor data gaps