"What is the value to Third Parties of all sizes proactively sharing their assessments upstream?"
2. Qualifying Orgs which has widely accepted standards (HITRUST, ISO or similar third party audits)? In an effort to permit your customers to accept this will there an override approval option so we can still track the unique exceptions in the CyberGRX system?
3. Is there an ability to clearly see the scope of the Vendor Assessment giving the Vendor and Customer the clarity on if these answers are Enterprise Focus or Service Specific? Can this be front page so we're all aware of the scope?
This article was a reminder to me that just because a product is marketed as “outstanding” or “exceptional”, or is widely used, that doesn't mean I can let my guard down and trust that even the most basic security best practices are being followed. Due diligence can take many forms but it must be done (whether we love it or not).
Quite frequently, security professionals ask us, "How do I report our third party risk posture & progress to our BoD?"
We receive this question from both "assessors" and "assessees". "Assessees" want to make sure they are not slowing down new deals or putting current relationships at risk. "Assessors" want to show risk reduction from their ecosystem of third parties.
Since we know the BoD doesn't want a lot of detail, what does the group find to be the one most important metric to add to the deck?
Vendor-related risks keep making the news: https://www.power-eng.com/articles/2018/08/pg-e-fined-2-7m-by-feds-for-third-party-s-data-breach.html
In this case a contractor to the utility, Pacific Gas & Electric, mishandled confidential data and exposed it to the internet for a period of time. PG&E only found out about the breach through an external security researcher, not through their own assessment and monitoring.