Shared Assessments CTPRP - Certified Third-Party Risk Professional (CTPRP)

Shadow IT is the use and management of any IT technologies, solutions, services, projects, and infrastructure without formal approval and support of internal IT departments. Shadow IT can pose significant security risks to the organization, such as data breaches, compliance violations, malware infections, or network disruptions. Therefore, assessing and mitigating the risk of shadow IT is an essential part of organizational security.

One of the most important factors when assessing the risk of shadow IT is whether the organization maintains adequate policies and procedures that communicate required controls for security functions. Policies and procedures are the documents that define the organization’s security objectives, standards, roles, responsibilities, and processes. They provide guidance and direction for the organization’s security activities, such as risk assessment, vendor management, incident response, data protection, access control, etc. They also establish the expectations and requirements for the organization’s employees, vendors, and other stakeholders regarding the use and management of IT resources.

By maintaining adequate policies and procedures that communicate required controls for security functions, the organization can:

Educate and inform its employees about the security risks and implications of shadow IT, and the benefits and advantages of using authorized and supported IT resources.

Establish and enforce clear and consistent rules and boundaries for the use and management of IT resources, and the consequences and penalties for violating them.

Monitor and audit the compliance and performance of its employees, vendors, and other stakeholders regarding the use and management of IT resources, and identify and address any deviations or issues.

Review and update its policies and procedures regularly, and communicate any changes or updates to its employees, vendors, and other stakeholders.

By doing so, the organization can reduce the likelihood and impact of shadow IT, and increase the visibility and accountability of its IT environment. The organization can also foster a culture of security awareness and responsibility among its employees, vendors, and other stakeholders, and encourage them to report and resolve any shadow IT incidents or problems.

The other factors, such as the organization’s security training and certification, staffing levels, and resources and investment, are also relevant for assessing the risk of shadow IT, but they are not as important as the organization’s policies and procedures. Security training and certification can help the organization’s security personnel to acquire and maintain the necessary skills and knowledge to deal with shadow IT, but they do not address the root causes or motivations of shadow IT. Staffing levels can affect the organization’s ability to detect and respond to shadow IT, but they do not prevent or deter shadow IT from occurring. Resources and investment can enable the organization to provide adequate and appropriate IT resources to its employees, vendors, and other stakeholders, but they do not guarantee the satisfaction or compliance of those parties. References:

: Shadow IT Explained: Risks & Opportunities - BMC Software

: What is Shadow IT? | IBM

: Shadow IT: What Are the Risks and How Can You Mitigate Them? - Ekran System

: Policies and Procedures - Shared Assessments

 The three lines of defense model is a way of explaining the relationship between functions and roles of risk management and control in an organization. It involves the first line of defense (owning and managing risks), the second line of defense (overseeing or specialising in risk), and the third line of defense (providing independent assurance)1. The third line of defense is typically the internal audit function, which provides objective and independent assurance to the governing body, management, regulators, and external auditors that the control culture across the organization is effective in its design and operation2. The third line of defense must have independence from the business unit, meaning that it is not involved in the execution of business activities or the design and implementation of controls, and that it reports to the highest level of governance, such as the board or the audit committee3. The third line of defense is not limited to an external assessment firm, although external assurance providers may complement or supplement the work of the internal audit function2. References:

1: Internal audit: three lines of defence model explained | ICAS

2: Modernizing The Three Lines of Defense Model | Deloitte US

3: THE IIA S THREE LINES MODEL

 Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.

The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.

The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.

By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2: Third-party risk assessment questionnaires - KPMG India

Threat modeling is a core element of the Microsoft Security Development Lifecycle (SDL) and a structured approach to identify, quantify, and address the security risks associated with an application12. Threat modeling helps to shape the application’s design, meet the security objectives, and reduce risk1. The best time to perform threat modeling analysis is before the application design and development activities begin, as this allows the application service provider to:

Communicate about the security design of their systems1.

Analyze the design for potential security issues using a proven methodology1.

Suggest and manage mitigations for security issues1.

Incorporate security requirements into the design2.

Avoid costly rework or redesign later in the SDLC2.

Identify the most critical and relevant threats to focus on2. References: 1: Microsoft Security Development Lifecycle Threat Modelling1 2: Threat Modeling Process | OWASP Foundation2

A well-defined third party risk management program does not require conducting onsite or virtual assessments for all third parties, as this would be impractical, costly, and inefficient. Instead, a TPRM program should adopt a risk-based approach to determine the frequency, scope, and depth of assessments based on the inherent and residual risks posed by each third party. This means that some third parties may require more frequent and comprehensive assessments than others, depending on factors such as the nature, scope, and criticality of their services, the sensitivity and volume of data they access or process, the regulatory and contractual obligations they must comply with, and the results of previous assessments and monitoring activities. A risk-based approach to assessments allows an organization to allocate its resources and efforts more effectively and efficiently, while also ensuring that the most significant risks are adequately addressed and mitigated. References:

Shared Assessments, CTPRP Job Guide, page 9: “The frequency, scope, and depth of assessments should be determined by the inherent and residual risks posed by each third party.”

OneTrust, [What is Third-Party Risk Management?]: “A risk-based approach to third-party risk management means that you prioritize your efforts and resources based on the level of risk each vendor poses to your organization.”

[Deloitte], [Third Party Risk Management: Managing Risk]: “A risk-based approach to third-party risk management helps organizations prioritize their efforts and resources based on the level of risk each third party poses to the organization.”

The scenario described indicates a lack in the vendor's Asset Management Program. An effective Asset Management Program includes maintaining an accurate inventory of hardware and devices, monitoring their status, and promptly identifying and responding to any losses or discrepancies. The failure to discover the loss of laptops and a tablet that processed company data for two years suggests deficiencies in tracking and managing physical assets. This lapse can lead to risks associated with data security, regulatory compliance, and operational integrity. A robust Asset Management Program should ensure that all assets are accounted for, their usage is monitored, and any anomalies or losses are quickly identified and addressed.

References:

IT asset management standards, such as ISO/IEC 27001 (Information Security Management), emphasize the importance of maintaining an inventory of assets and implementing appropriate controls to safeguard organizational assets.

The "IT Asset Management Handbook" by the International Association of IT Asset Managers (IAITAM) provides guidelines on establishing a comprehensive Asset Management Program, including best practices for asset tracking, monitoring, and loss prevention.

A change in company point of contact does not necessarily trigger an organization to prompt a third party contract provisions review, unless the contract specifically requires such a notification or approval. A change in company point of contact may affect the communication and relationship between the parties, but it does not affect the legal terms and obligations of the contract. However, other types of external events, such as business continuity events, data breaches/privacy incidents, and changes in regulations, may have a significant impact on the performance, compliance, and risk of the contract, and therefore may require a review of the contract provisions to ensure that they are still valid, enforceable, and aligned with the parties’ expectations and objectives. For example, a business continuity event may disrupt the delivery of goods or services, a data breach/privacy incident may expose confidential or personal information, and a change in regulations may impose new obligations or liabilities on the parties. These events may trigger clauses such as force majeure, termination, indemnification, or dispute resolution, and may require the parties to renegotiate or amend the contract accordingly. References:

Third-Party Contract Reviews: Determining Your Best Options

Third party contracts: best practices for third party paper

What to Look For When Reviewing Third-Party Contracts

CTPRP Job Guide

TPRM vendor classification is the process of categorizing vendors based on their criticality, risk level, and service type. Vendor classification helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation. Vendor classification should be updated periodically to reflect changes in the business environment, vendor performance, and regulatory requirements.

When updating TPRM vendor classification requirements with a focus on availability, the risk rating factors that provide the greatest impact to the analysis are the impact on operations and end users, the impact on revenue, and the impact on regulatory compliance. This is because:

Availability is the degree to which a system or service is accessible and functional when required by authorized users. Availability is a key component of information security and business continuity, as it ensures that the business can operate normally and deliver value to its customers and stakeholders.

Impact on operations and end users measures the extent to which a vendor’s service disruption or failure affects the business processes, functions, and activities that depend on the vendor’s service. A high impact on operations and end users means that the vendor’s service is essential for the business to perform its core functions and meet its objectives, and that any downtime or degradation of the service would cause significant operational delays, inefficiencies, or losses.

Impact on revenue measures the extent to which a vendor’s service disruption or failure affects the business’s income, profitability, and market share. A high impact on revenue means that the vendor’s service is directly or indirectly linked to the business’s revenue generation, and that any downtime or degradation of the service would cause substantial financial losses, reduced customer satisfaction, or competitive disadvantage.

Impact on regulatory compliance measures the extent to which a vendor’s service disruption or failure affects the business’s adherence to the laws, regulations, standards, and contractual obligations that govern its industry, sector, or jurisdiction. A high impact on regulatory compliance means that the vendor’s service is subject to strict regulatory requirements, and that any downtime or degradation of the service would cause serious legal penalties, fines, sanctions, or reputational damage.

Therefore, these three factors are the most important to consider when updating TPRM vendor classification requirements with a focus on availability, as they reflect the potential consequences and risks of vendor unavailability for the business.

References:

CTPRP Job Guide

Criticality and Risk Rating Vendors 101

The Third-Party Vendor Risk Management Lifecycle

What Is Third-Party Risk Management (TPRM)? 2024 Guide

Third-Party Risk Management and ISO Requirements for 2022

Data classification is the process of categorizing data according to its type, sensitivity, and value to the organization if altered, stolen, or destroyed1. Data classification helps an organization understand the risk level of its data and implement appropriate controls to protect it. Data can be classified into three risk levels: low, moderate, and high23. Low risk data are data that are intended for public disclosure or have no adverse impact on the organization’s mission, safety, finances, or reputation if compromised23. Sanitized customer data used for aggregated profiling are an example of low risk data, as they do not contain any personally identifiable or sensitive information that could be exploited for criminal or other wrongful purposes. Sanitized data are data that have been modified to remove or obscure any confidential or identifying information, such as names, addresses, phone numbers, etc. Aggregated data are data that have been combined or summarized from multiple sources to provide statistical or analytical insights, such as trends, patterns, averages, etc. Sanitized and aggregated data are often used for research, marketing, or business intelligence purposes, and do not pose a significant threat to the organization or the customers if exposed. References:

1: What is Data Classification? | Best Practices & Data Types | Imperva

2: Data Classification Guideline (1604 GD.01) - Yale University

3: Risk Classifications | University IT

: Data Classification Policy - Shared Assessments

: What is Data Sanitization? | Definition and Examples | Imperva

: What is Data Aggregation? | Definition and Examples | Imperva

The frequency of cyclical assessments is one of the key factors that determines the effectiveness and efficiency of a TPRM program. Cyclical assessments are periodic reviews of the vendor’s performance, compliance, and risk posture that are conducted after the initial onboarding assessment. The frequency of cyclical assessments should be aligned with the organization’s risk appetite and tolerance, and should reflect the level of risk and criticality of the vendor to the organization’s operations. A common approach to determine the frequency of cyclical assessments is to use a vendor risk score, which is a numerical value that represents the vendor’s inherent and residual risk based on various criteria, such as the type, scope, and complexity of the services or products provided, the vendor’s security and privacy controls, the vendor’s compliance with relevant regulations and standards, the vendor’s past performance and incident history, and the vendor’s business continuity and disaster recovery capabilities. The vendor risk score can be used to categorize the vendors into different risk tiers, such as high, medium, and low, and assign appropriate frequencies for cyclical assessments, such as annually, biannually, or quarterly. For example, a high-risk vendor may require an annual assessment, while a low-risk vendor may require a biannual or quarterly assessment. The vendor risk score and the frequency of cyclical assessments should be reviewed and updated regularly to account for any changes in the vendor’s risk profile or the organization’s risk appetite.

The other three statements do not best reflect the factors that help you determine the frequency of cyclical assessments, as they are either too rigid, too vague, or too reactive. Statement A implies that vendor assessments are only necessary during onboarding and can be replaced by continuous monitoring afterwards. However, continuous monitoring alone is not sufficient to ensure the vendor’s compliance and risk management, as it may not capture all the aspects of the vendor’s performance and risk posture, such as contractual obligations, service level agreements, audit results, and remediation actions. Therefore, vendor assessments should be conducted during onboarding and at regular intervals thereafter, complemented by continuous monitoring. Statement C suggests that vendor assessments should be scheduled based on the type of services or products provided, without considering the other factors that may affect the vendor’s risk level and criticality, such as the vendor’s security and privacy controls, the vendor’s compliance with relevant regulations and standards, the vendor’s past performance and incident history, and the vendor’s business continuity and disaster recovery capabilities. Therefore, statement C is too vague and does not provide a clear and consistent basis for determining the frequency of cyclical assessments. Statement D indicates that vendor assessment frequency may need to be changed if the vendor has disclosed a data breach, implying that the frequency of cyclical assessments is only adjusted in response to a negative event. However, this approach is too reactive and may not prevent or mitigate the impact of the data breach, as the vendor’s risk level and criticality may have already increased before the data breach occurred. Therefore, statement D does not reflect a proactive and risk-based approach to determining the frequency of cyclical assessments. References:

Third-Party Risk Management 101: Guiding Principles

Mastering the TPRM Lifecycle

Third Party Risk Management Maturity Assessment