1. Use People as Your Starting Point
In general, a third-party risk management audit will look into the effectiveness of your access management program. It will also make a checklist of regulatory guidelines that the business and its third-party vendors must comply with. The end result is likely a lengthy report with page after page of tactical recommendations without any sort of unifying narrative.
Before setting your auditors loose, you should establish a few “big questions” that can provide programmatic guidance.
One way to start is by using a people-focused lens, rather than just a compliance-focused lens. Who are the people and what are they doing? This may seem counterintuitive, but rules and regulations exist because companies were not protecting people’s data.
So ask yourself: