Best Practices for Managed 3rd Party InfoSec Assessment
By Renee Robinson, ComplyScore
I’m the Client Success Manager for the “Managed 3rd party InfoSec assessments” offering for ComplyScore a product of Atlas Systems and that allows me to be very involved with our clients and their day to day process of completing 3rd party Risk Assessments.
I will share some best practices that I have gleaned from over several hundred assessments. This will be a 2 part series. Please send ample comments to help me improve as well.
What is Managed 3rd party Assessments – This is a service that you will contract with a vendor to perform info sec assessments of the other vendors on your behalf.
Let’s scope out the best practices over 3 areas of pre-execution / planning, execution, post execution and if people desire, we can even add vendor selection.
Pre Execution or Planning
When you are outsourcing the assessments to a third party planning is critical. Here are some of the best practices in this phase:
- The process & the SLAs – Third party assessment is an involved process and it is very important to have the process laid out clearly.
- Establish responsibilities for each process. A RACI chart comes in handy.
- Define SLAs for each process.
- Additionally there are multitude of exceptions in this process and defining exception handling and management is just as critical.
- Scope of supporting document reviews is critical. One assessment can have multiple SOC2 documents and the depth of the assessment of each supporting document should be clearly defined.
- The assessment questionnaire – The questionnaire is the cornerstone of the assessment. Each company has its own questionnaire or use a standardized questionnaire (SIG & others) or a hybrid. Some of the best practices if you have your own questionnaire are:
- Frame the questions to be controls focused and then supported by evidence documents.
- Leaving questions open ended leads to subjectivity, higher time and costs and reduced consistency. Again, make is specific. Example – instead of describe your backup plan, a question like how often do you backup your application data is more targeted.
- Map your questionnaire to standards (NIST 800) or certificates (HiTrust, ISO 27001) etc and use supporting documentation to speed assessment process.
- The language – Language related to observations and mitigations can vary a lot from analyst to analyst. Little nuances of language can change the meaning significantly.
- Support all assessment questions with policy statements.
- Define standard phrases to be used in observations and mitigations
- The communication – 3rd party assessment required a fair amount of communication between the assessors, vendors and clients.
- Ensure that all communication is documented and available on demand along with the assessment
- If there are tele-conferences then ensure that minutes of the meeting are sent and attached. A voice recording will be ideal but can add to the costs
These are some of best practices when farming out 3rd party assessments to yet another party. Would love you hear your experiences and comments.