Know the inherent risks of doing business with each third party. Understand the assets at risk and potential negative outcomes of a security failure.
Knowledge of third-party inherent risks enables you to understand what is at stake with each entity and informs what risks should be managed and to what degree.
Assign each third party an inherent risk rating using a consistent framwork with enough inherent risk tiers to meaningfully segment the portfolio. Differentiate inherent risk tiers based on attributes such as assets and services exposed, connectivity, and so forth.
|Implement a framework for assessing third-party inherent risk.||Common||87%|
|In the procurement process implement a simple criteria for purchasing agents to use to identify vendors that require professional risk assessment.||Common||77%|
|Assign each third party an inherent risk rating.||Common||77%|
|Document inherent risk attributes such as services, data types, transaction types, and connectivity.||Common||77%|
|Periodically review third-party relationships for material changes to inherent risk.||Emerging||53%|