The final step in the third-party vendor risk management process handles how we decide to treat the risks associated with third parties. The most objective method for risk treatment in relation to third-party information security risk management is pass/fail, acceptable/not acceptable. Either the S2SCORE meets (or exceeds) the acceptable level or it doesn’t. This is key to standardization and defensibility.
If the resulting S2SCORE is acceptable, the review of the third-party information security risk is complete for this cycle. Information security risks for this third party should be reviewed again in the future, according to a schedule defined by your organization.
If the resulting S2SCORE is not acceptable, the third party will need to improve one or more of their information security controls to bring their S2SCORE above the acceptable threshold. As is true in real-life information security, there are several things that the third party could do to improve their score. The final determination will be negotiated between you and your third-party provider.
As the third party undertakes remediation, new S2SCOREs are calculated, and remediation continues until an acceptable S2SCORE is obtained. Once an acceptable S2SCORE is achieved, the review of third-party information security risk is completed until the next cycle.
Although the review of third-party information security risk is complete, the cycle must repeat because several factors are likely to change over time. Your organization may change the way you use a specific third party, threats change, and vulnerabilities change over time. The review cycle you decide to adopt is entirely up to you and the resources you have available. The SecurityStudio default is annual.
Annual reviews should start again at the beginning of the process, Phase 1 of VRM – Inventory, by validating the accuracy of your third-party inventory.