When you think of an audit, what comes to mind? If you’re at all familiar with the traditional auditing process, I’d imagine your answer would look something like this:
An audit is a thorough analysis and comprehensive review of a third-party program. It goes through the nuts and bolts of it all, parsing through governance issues, policies and procedures, documentation, assessment results, certifications, other third-party assessments, and more. It can also entertain on-site inspections to observe what people are doing, and see the day-to-day interactions inside an organization.
Am I close? Essentially, traditional audits are extremely thorough “vendor check-ins” to find out how things are going and what has changed since your last vendor check-in.
Now, what if I asked you this important question:
“What are you missing after a traditional audit?”
This is a frequently asked question by many organizations who are worried about the overall security of their data—and it’s certainly worth discussing. At the end of the day, audits are still very important. But the fact remains that most organizations will pass an audit. The real issue comes when auditors are no longer on-site. You have to think of an audit like a one-day exam—it tests the “knowledge” and “competency” of the third party on that one specific day. But wouldn’t you agree that a better test of intelligence comes on day three? Or day 257? Because as long as that third party has a great deal of access to your sensitive information, you’re going to want to know what goes on during the times you aren’t around—which is probably most of the time.
So one of the most important things you can do is take a multi-pronged approach and look at all aspects of the risk of a vendor. The process of performing a third-party risk audit is incredibly important for understanding the true cyber security posture of your vendor. This is typically done via a continuous monitoring solution that provides up-to-date information on the health of your vendor on any given day, instead of only once a year.
Now that you better understand why risk assessment is such an important step of the process, you now need to know when you should perform an audit. An answer to this question would probably vary, but it’d most likely be based off of time and budgetary considerations for the first party. If you told me that your last organization performed third-party audits annually, would that be because none of your organization’s vendors posed any kind of risk? Probably not. There just simply aren’t enough hours in the day or dollars in the budget to do more audits.
But as more attention is drawn to vendor risk management and cyber security issues—particularly due to recent highly publicized data breaches from the likes of Target, J.P. Morgan Chase, and Home Depot—more regulators and organizations are interested in specialized third-party risk audits. Following these highly publicized breaches, more companies want to know what they should be doing in addition to standard audits to keep their data safe. The following steps will help you determine how often you should perform regular audits so you can keep your data safe and secure:
Once you’ve taken these steps, and before you set up an auditing schedule, you’ll want to:
So, as we’ve explained, you can’t just rely on traditional auditing methods. These methods, while very important in the security assessment process, won’t tell you what goes on during the days that you aren’t performing an audit. But if you supplement this program with continuous cyber security monitoring in real-time, you’ll be far more prepared for any potential problems.
We've drilled down into areas that vendor risk management programs leave a little vague.
Download the guide to see if you've considered these critical areas of vendor risk management.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469