Third Party Risk Management CTPRP Reddit Questions

Risk registers are tools that help organizations document, monitor, and manage their third party risks. They typically include information such as the risk description, category, source, impact, likelihood, rating, owner, status, and action plan. Risk registers enable organizations to prioritize their risks, assign responsibilities, track progress, and report on their risk posture. According to the CTPRP Study Guide, "A risk register is a tool for capturing and managing risks throughout the third-party lifecycle. It provides a comprehensive view of the organization’s third-party risk profile and facilitates risk reporting and communication."1 Similarly, the GARP Best Practices Guidance for Third-Party Risk states, "A risk register is a tool that records and tracks the risks associated with third parties. It helps to identify, assess, and prioritize risks, as well as to assign ownership, mitigation actions, and target dates."2

References:

• CTPRP Study Guide
• GARP Best Practices Guidance for Third-Party Risk

In patch management, testing is the most crucial factor when conducting post-cybersecurity incident analysis related to systems and applications. Proper testing of patches before deployment ensures that they effectively address vulnerabilities without introducing new issues or incompatibilities that could impact system functionality or security. Testing allows organizations to verify that the patch resolves the identified security issue without adversely affecting the system or application's performance. It also helps in identifying potential conflicts with existing configurations or dependencies. Effective testing strategies include regression testing, performance testing, and security testing to ensure comprehensive validation of the patch's effectiveness and safety before widespread deployment. This approach aligns with best practices in patch management, emphasizing the importance of thorough testing to mitigate the risk of unintended consequences and ensure the continued security and stability of systems and applications.

References:

• Industry standards such as ISO/IEC 27001 (Information Security Management) highlight the importance of a systematic approach to managing patches, including the role of testing in assessing the effectiveness and impact of patches.
• Resources like "Patch Management Best Practices" from the Center for Internet Security (CIS) provide guidance on developing and implementing a patch management program that includes rigorous testing procedures to ensure patches are safely and effectively applied.

One of the key elements of a robust information security policy is the definition and implementation of requirements for third party governance and oversight. This means that the vendor should have clear and consistent processes and procedures for managing and monitoring the information security risks and controls of their subcontractors, suppliers, or service providers. Third party governance and oversight should include the following aspects12:

• Establishing criteria and standards for selecting and evaluating third parties based on their information security capabilities and performance
• Conducting regular and comprehensive assessments and audits of third parties’ information security policies, practices, and incidents
• Ensuring contractual agreements and service level agreements (SLAs) with third parties include information security clauses and obligations
• Maintaining visibility and communication with third parties regarding their information security status and issues
• Implementing corrective actions and remediation plans for any identified information security gaps or weaknesses
• Terminating or suspending the relationship with third parties that fail to meet the information security expectations or requirements If a vendor’s response does not specify any requirements for third party governance and oversight, it should trigger further investigation of their information security policies. This indicates that the vendor may not have a comprehensive and effective approach to managing the information security risks and impacts of their extended network of partners. This could expose the vendor and their clients to potential data breaches, cyberattacks, compliance violations, or reputational damages. Therefore, the vendor should be asked to provide more details and evidence of how they ensure the information security of their third parties, and how they address any information security incidents or issues involving their third parties. References:
• 1: Third-Party Information Security Risk Management Policy - SecurityStudio
• 2: Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

Remote access is any connection made to an organization’s internal network and systems from an external source by a device or host. Remote access can enable greater worker flexibility and productivity, but it also poses significant security risks, such as unauthorized access, data leakage, malware infection, or network compromise. Therefore, it is important to evaluate a third party’s use of remote access within their information security policy, which should define the roles, responsibilities, standards, and procedures for remote access.

One of the key components of evaluating a third party’s use of remote access within their information security policy is identifying the use of multifactor authentication. Multifactor authentication is a method of verifying the identity of a remote user by requiring two or more factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., token, smart card), or something the user is (e.g., fingerprint, face). Multifactor authentication enhances the security of remote access by making it harder for attackers to impersonate or compromise legitimate users. According to the NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security1, multifactor authentication should be used for all remote access, especially for high-risk situations, such as accessing sensitive data or privileged accounts.

The other options are not components of evaluating a third party’s use of remote access within their information security policy. Maintaining blocked IP address ranges, reviewing the testing and deployment procedures to networking components, and providing guidelines to configuring ports on a router are all examples of network security controls, but they are not specific to remote access. They may be part of the overall information security policy, but they are not sufficient to assess the security of remote access. References:

• NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• How to Implement an Effective Remote Access Policy
• Why Managing Third-Party Access Requires A Better Approach