17. The safety of the Third Parties and the safety of the company.
Companies entrust the protection of information about their customers, reputation, finances and their business continuity to partners and suppliers, or to Third Parties.

The safety of the Third-Parties affects all companies without exception because the majority is both Customer and therefore has relations with Third-Parties (partners and suppliers), but it is also Part Three towards its client companies.

The Third Party Risk has become very relevant and entered into security programs of larger companies, to which, however, also smaller ones are being added.

It is now important for a Third Party Company to be able to prove that they own a Security Program adequate to be considered suitable by its customers or preferable over other competing companies.

A third party violation is likely to become a Company violation as well.

It is therefore necessary to know about the Third Party:

  ? It is reliable?

  ? If so why?

  ? If not why?

  ? What needs to be done about it?

And based on the answers, take action.

The management of the safety of Third Parties is divided into three areas:




It includes the activities necessary for the management of the security of relations with its Third Parties


 ? Policies that establish how the company manages the risk of third parties.

 ? Standards and operational procedures that define how to implement the Policies

Internal training
(of Stakeholders) on the awareness and risk management of Third-Parties.

Acquisition and updating
 ? integration with the procurement and contracting processes of the Third-Parties

 ? periodic review of the register of active Third Parties


 ? the risks of the Third Parties are entered in a formal risk register.


The Third Parties are contractually committed to:

 ? comply with the agreed safety requirements

 ? grant the right of verification (audit)

 ? The stipulation of the contracts is subject to compliance with the safety requirements

 ? waivers require explicit approval


The Company's relationship with a Third Party has one intrinsic criticality (inherent risk) which depends on factors such as the information processed, the importance of the supply, substitutability, etc.

The residual risk is the risk that remains after applying the appropriate mitigation measures to inherent risk.

Assessment of the inherent risk

 ? Definition of one classification scheme (rating) of the criticality (inherent risk) of the relationship with the Third Party.

 ? Assignment of the inherent risk rating to each Third Party

It is common practice in many companies to classify Third Party Relationships in criticality classes (risk rating), the number of classes varies from 3 to 5.

Management of corporate risk management resources

 ? Setting the frequency And perimeter the evaluation of the residual risk of the Third-Parties based on the inherent risk assessment (risk rating)

The more critical relationships (higher risk ratings) require assessment (verifications) more in-depth and more frequent.

Participation of Third Parties

 ? Conducting Third-Party assessments with defined and agreed frameworks and standards.

 ? Joint analysis of the points opened in the previous assessments.

Risk treatment

 ? Sharing the assessment results with the Third Party and internal stackholders.

 ? Retention of responsibility of the Third Party on risk treatment interventions

 ? Management of Risk Register (Risk Register) for the risks of Third Parties

Threat intelligence

 ? Systematic monitoring of the security incidents (data-breach and security compromises) relating to the Third-Party.

 ? Definition of response procedures for data-breach management of the Third Parties.

Sharing critical vulnerabilities

 ? Systematic communication to the Third Party of the security notifications related to critical vulnerabilities.

 ? Systematic detection of the Third-Party Software exposed to the Internet.

the Fractional CISO from CISOaaS-it:

 ? for Third Party Companies designs and coordinates a specific Safety Program for this objective.

 ? for Client Companies it integrates with the internal security team and to take care of organizing and carrying out the activities of the RISK ASSESSMENT area on the Third-Parties.