3rd Party Risk Management
Governance & Risk Management
Getting a Grip on Third-Party Access
Compliance is a problem organizations can’t escape. According to this year’s Ponemon Report, 37% of businesses say the complexity of compliance and regulatory requirements are barriers to achieving strong cybersecurity postures. Between meeting regulation requirements and achieving security, compliance seems to be a consistent roadblock for organizations of all industries.
See Also: Data Sharing Espionage: A Fraud Discussion
Third parties are another problem area that every organization experiences. There’s risk associated with third-party remote access, including bad actors lurking around every access point.
Third parties are essentially an extension of a business; if the third party gets in trouble with compliance, then the business is in trouble as well.
What businesses might not realize is that proper management of third parties could be the key to staying compliant and getting a grip on third-party access.
How Third Parties Help Achieve Compliance
Many compliance standards include regulations around third parties and remote access. Third parties and compliance aren’t mutually exclusive. Many regulatory compliance mandates include requirements around third parties and third-party access to an organization’s systems, networks, data, and private/confidential information.
- HIPAA compliance: Since third parties, business associates, and covered entities are all able to access patient data from a healthcare system, meeting HIPAA compliance standards means third parties have to abide by the same safeguards as the healthcare institution. If a business associate violates any HIPAA regulations, then the healthcare organization — not just the BA — holds responsibility for the breach in patient privacy.
- CJIS compliance: Authorized third parties have to adhere to the CJIS Security Policy, which requires access controls, audits, and authentication methods for any user who accesses confidential files and data from criminal justice information services.
- PCI DSS compliance: Vendors who handle payment card transactions (or more namely, work with retail businesses) need secure access to credit card information or they’re at risk of violating the security policies of PCI DSS.
- NERC CIP compliance: NERC CIP requirements are sets of cybersecurity standards for bulk electric systems, or organizations dealing with industrial remote access. The security requirements apply to any entity (such as third-party users) that impact the reliability of the system and call for various IT and security controls to protect critical infrastructure from cyberattacks.
A significant amount of compliance is dependent on third-party access being controlled and monitored. Third parties are essentially an extension of a business; if the third party gets in trouble with compliance, then the business is in trouble as well. However, over half of organizations rate their third parties as ineffective in achieving compliance with security and privacy regulations that affect the organization. If businesses truly don’t trust their third-party vendors to meet compliance, they need to get back control from the inside.
Third-party management creates more visibility, which is exactly what auditors want. And with third parties, this is already a huge problem – only 36% of organizations have visibility into the level of access and permissions both internal and external users have. Auditors and regulators need to know what’s happening with user access so they can ensure the safety and well-being of a company, its employees, its customers, and the general public. When you’re able to do that with audits and documentation, you don’t have to scramble to collect info for auditors and you don’t have to guess which vendor, consultant, technician, or rep has access to which systems, data, or resources.
Managing third parties means managing and controlling access, which is what compliance requires. 67% feel that managing third-party access is overwhelming and a drain on internal resources, which is likely an indicator of how messy the third-party situation is. The first step should be to make a list of everything that needs to be done to get it clean. That list needs to consist of: inventorying third-party users and what they need access to, what access permissions they already have, limiting that access based on the principle of least privilege, and controlling access by using a combination of authentication methods, fine-grained controls, and password protection.
Managing Third Parties Means Meeting Compliance
Compliance and third parties don’t have to work against each other, and managing third parties doesn’t have to be a manual, daunting process; there are resources and technology available to streamline and automate the process of controlling and monitoring vendor access. Once third-party management is automated, it takes the guesswork out of “who has access to what” and removes the burden of collecting documentation and reports on third-party access for auditors. Think of it as a two-for-one investment — when you manage third parties, you have an even better handle — and a greater advantage — at meeting compliance.