Third Party Risk Management

Organizations need to know their information is safe with their third parties as well as prove they are secure to key stakeholders like a client. Our team designs and executes TPRM and vendor risk management programs to help organizations understand and mitigate third-party risk. Clients who work with us have the confidence that their vendors and other third parties are handling information security to their own standards.

Third Party Risk Management is not simple. More and more companies are coming to realize their risk from suppliers and other third parties. But many are daunted by the costs and complexities involved. TCG brings a wealth of experience with TPRM to the table.

Our Managed Services and Program Development Services Include:

  • Co-managed Services – TCG will work with your existing internal processes to co-manage your TPRM with you
  • Fully-managed TPRM program – TCG will develop and deploy the program, with reporting and management “hooks” built in to connect to your existing processes
  • Development, documentation, and deployment of fully integrated TPRM program

TCG’s TPRM service includes the following activities:

  • Initial Risk Assessment: A review of the overall risk rating of each third-party will be performed by reviewing the engagement scope with the internal relationship manager to get a clear understanding of their service offering and the important risk factors associated. This initial exercise will assist in determining the depth of the assessment necessary to commensurate to the risks involved. Risk rating criteria includes but is not limited to: data classification, number of users, data hosting model, number of records, privacy considerations, regulatory requirements, access to internal network, etc.
  • Questionnaire: Designing and assigning dynamic risk assessment questionnaire to each vendor that will focus on key domains to understand the vendor’s security posture. Questionnaire domains include but are not limited to: policy governance, user administration, data center hosting, audit logging/monitoring, change management, incident response, business continuity, third-party management, etc.
  • Contract Review: A review of the proposed or existing contract (for pre-established third-parties) will be performed to ensure the necessary legal coverage has been captured. Contract review criteria includes but is not limited to: right to audit, termination, privacy, data breach notification, information security, indemnification, records retention, etc.
  • Evidence Gathering: Third-party documentation review will be conducted to verify key business processes have been established and that supporting controls have been well designed and are operating effectively. Evidence requests include but are not limited to: SSAE 18 (SOC) Type II reports, governance policies, standard operating procedures, vulnerability scans, penetration tests, network/dataflow diagrams, subservice audit reports, etc.
  • Defense-In-Depth Interview: Completed third-party questionnaire and supporting evidence review will yield additional follow-up questions best handled by a ‘defense-in-depth’ interview with the third-party’s technology SMEs. This approach will assist your security backbone by peeling through their layers of security to best understand how the third-party will truly protect a customer’s confidential information. The interview will be used to address unexplained gaps in the questionnaire and concerns regarding potential findings.
  • Reporting & Communication: The reporting process will include the formally documenting report the 1) scope of the service offering and third-party background, 2) executive summary of the overall opinion and risk rating, and 3) summary of findings, remediation recommendations and timeline. A final internal report will be communicated to key stakeholders and the business and IT risk management teams will have the information necessary to determine next steps.