Information technology risk, like all commercial risk, it’s business as usual. An every day activity which can severely impact conducting business if not managed. In fact, it’s only getting more perilous with the rise in cloud based providers.
A December 2011 Gartner report estimates that the financial impact of cybercrime will increase 10 percent per year through 2016. Considering the average cost incurred by large companies from a cyberattack is $649,000, the financial impact is already too high without the potential for it getting worse.
We understand many companies may go to great lengths to protect its IT, but all that due diligence could be for irrelvant if a vendor is at fault for a data breach. Third-party risk assessments can help you determine how well a vendor will guard or continue to guard vital data entrusted to it by your company and its ability to comply with the many compliance regulations. However, such assessments won’t be helpful if they are lacking important elements and questions. Here are seven areas of IT risk that you should ensure your third-party risk assessments are covering:
1. ISO/IEC 27001 standards
Compiled by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), the 27001 guidelines are industry-accepted standards addressing and governing information security. Most third-party risk assessments include the 27001, but the standards are getting an overhaul that are into effect in 2014. Therefore, your assessments should reflect this pending update.
2. Server locations
If a vendor is handling and storing your proprietary IT, you should know how and where it is doing so. By employing the vendor, your company is already moving data off-site, and not knowing what the third party is doing with it is risky. A third-party risk assessment should tell you where a vendor’s servers are, how well they are maintained, and how secure they are.
3. Cloud computing
With more and more data residing in the cloud, the concern about servers seems to have become less important. But cloud computing presents its own IT risk challenges. Strong authentication and encryption approaches are important, and your third-party risk assessments should be discovering how secure your data is when stored on the cloud.
4. Disaster recovery plans
Even the most competent vendors are not immune from the occasional calamity: server meltdowns, bankruptcy, labor strife, power outages, earthquakes, and so on. Their anticipated responses to a catastrophe is what should concern you. Third-party risk assessments must include questions about disaster recovery plans, because you don’t want to be left scrambling when a key supplier can’t fulfill delivery because of a cyclone.
Your company likely has policies regarding the governance and security of data and IT. You shouldn’t settle for less from your vendors, either. A third-party risk assessment should reveal not only how strong a vendor’s governance policies are with its own data, but also how strong they will be with yours.
6. Outsourced IT
If you are reading this post, you likely take vendor risk management seriously. Third-party risk assessments can discover if your vendors are taking risk management with their own third parties as seriously. Furthermore, you may not want your data outsourced twice or overseas, so an assessment will keep you informed what happens to your IT after it’s entrusted with a vendor.
7. Obsolescence and updates
Are your vendors’ systems keeping up with the times? A third party might do a great job with your data in their care, but that might be moot if the software used is already several years old. Furthermore, upgrades take time and increase the risk of data breach or loss during the changeover. Risk assessments can tell you how obsolete or up-to-date a third party’s IT is.
What area of IT concerns you most when dealing with a third party?