3 phases of the third-party risk management lifecycle

Phase 1: Before the contract

Before contracting with a third party, assess the cybersecurity risk for the outside vendor and the products or services it is providing. This requires knowing how the third party will support the organization.

Third parties can be categorized by the access they need, their relationship with the organization, the industry, compliance regulations and other metrics specific to the contracting organization. Note that the implications of risk could be different depending on how the product is used -- for example, whether it's in a typical office setting, healthcare facility or gas pipeline.

Third-party risk analysis should include a questionnaire asking specific questions about the company, its processes and policies, and more. Take into account other risk factors, such as data classifications and the geolocations of product and service components.

After assessing the risk and selecting a third party, use contractual language to document requirements. These should include the following:

• Cybersecurity controls the third party must follow when creating and maintaining the product or service.
• Cybersecurity features that the product or service must provide.
• Cybersecurity obligations, including which party -- the organization, the third party or another party acting on behalf of the third party -- is responsible when safeguarding services against potential threats.
• Requirements for notifying the organization of suspected or confirmed cybersecurity incidents that could potentially affect the organization's data or systems.
• Provisions for the organization to confirm the third party's compliance with the requirements.

Service-level agreements (SLAs) also document third-party service standards and set expectations between provider and customer. SLAs should include the products and services delivered, points of contact, and metrics to monitor and evaluate the services provided.

Phase 2: During the contract

Once the contract is in place, it's time for onboarding of third-party personnel and systems. Verify the identities of personnel, and issue them credentials to access appropriate systems and facilities, based on the principle of least privilege. Safeguard data that is transferred to and stored on third-party systems.

Monitor the third party's behavior, and perform periodic risk assessments or audits. This is an important due diligence aspect of the third-party risk management lifecycle. Be sure to do the following:

• Verify compliance with the contract's requirements.
• Identify changes in risk that could necessitate changes to cybersecurity controls or requirements.
• Confirm that any discovered issues are addressed promptly and effectively.

The level of due diligence depends on the risk profiles of the third parties involved. Higher-risk third parties might require regular assessments, while lower-risk third parties might only need a single or periodic assessments during the contract.

Closely track any third-party personnel changes, especially among people who are changing roles or leaving their organization. Promptly revoke their access to organizational data and systems.

Phase 3: Contract termination

As third-party relationships end, deploy a formal offboarding process. Ensure all access to the organization's data and systems is revoked. Verify the third party returns all the organization's assets and securely destroys organizational data it should no longer have.