3 Steps for Achieving Third-Party Audit Success

Companies rely more and more on third-parties to extend their workforce, but granting access to external parties can increase the risk of cyber attacks. Here are three steps to boost security and ace your next audit.

In today’s interconnected business world, organizations exchange data with vendors and external partners. They rely on third-party relationships to extend their workforce and perform specialized services, like payroll or data processing. This extended workforce often requires access to organizational resources such as shared tools, applications or data sets to provide critical services. 

This access opens companies up to increased risk of cyber threats because their defenses are only as strong as their weakest link: If your suppliers’ defenses are more porous than your organization’s are, this introduces greater risk to your organization. In fact, according to recent research by The Ponemon Institute and Mastercard’s RiskRecon, 59% of respondents indicated that their organizations have experienced a data breach caused by one of their third parties.

So when it comes to assessing third-party access risks, how do you set yourself up for audit success? An audit is always a look at what happened in the past, but it can provide insights so that history does not repeat itself. While you may have to perform annual audits for any number of industry or regulatory compliance reasons, your third-party audit can also be an opportunity to get actionable information to help you mitigate the additional risk introduced by the extended workforce.

1. Use People as Your Starting Point

In general, a third-party risk management audit will look into the effectiveness of your access management program. It will also make a checklist of regulatory guidelines that the business and its third-party vendors must comply with. The end result is likely a lengthy report with page after page of tactical recommendations without any sort of unifying narrative. 

Before setting your auditors loose, you should establish a few “big questions” that can provide programmatic guidance. 

One way to start is by using a people-focused lens, rather than just a compliance-focused lens. Who are the people and what are they doing? This may seem counterintuitive, but rules and regulations exist because companies were not protecting people’s data. 

So ask yourself:

Who are all of these people? What external entity do they belong to? Who is their sponsor internally? Your audit can give you a baseline of:

1. The accuracy of your list of third-party relationships. Do external parties have the right level of access (think: least privilege) and is that access being de-provisioned when it is no longer needed?
2. Is there an identified sponsor of this relationship? The external workforce does not usually enter your business through your centralized HR function and this makes it challenging to find an owner that can know and certify appropriate access.

What are all these people doing with their access?

1. What data and systems are they currently accessing
2. What data and systems are they able to access
3. And is this access appropriate. The goal here is to identify any past risky behaviors, fix any vulnerabilities, and create policies to reduce access to the bare minimum, which continually reduces the risk surface.

What are the behaviors we need them to take to meet our compliance goals? 

1. What standards and regulations do we need to comply with? 
2. What forward-looking policy or process do we need to implement to improve compliance and reduce risks?
3. Who will be the responsible parties for the ongoing management and enforcement?

2. Prioritize Risks Appropriately

A third-party risk management (TPRM) audit will look into the effectiveness of your current program. It will also make a checklist of regulatory guidelines that the business and its third-party vendors must comply with. So how can you make it actionable– addressing the right risks and becoming more compliant and secure?

• What low-hanging fruit can you address first? For example, the audit may reveal that there are hundreds of orphaned identities, where access was not revoked. Orphaned accounts are prime targets for hackers since they are rarely monitored or reviewed for accuracy. 
• Longer term, you can work towards policy creation which stipulates how access is granted, monitored, and de-provisioned. Or, your audit may uncover the fact that you are missing risk context for your vendors and contractors. It’s hard to assess the appropriate level of access if you’re missing this context.

3. Make the Process Repeatable 

With actionable audit results in hand, you’ll be enabled to prioritize compliance challenges and develop a roadmap for reducing third-party risks to ace your next audit and improve your security posture.

To do this, you need to ensure that all of your users – including third-party workers – have the appropriate guardrails and that your certifiers have the data they need to make good access decisions. And to do all of this on a consistent basis. 

Until now, there haven’t been many purpose-built tools for managing third-party access. This has been a challenge because:

• Traditional HR tools do not manage the risk profile of the third-party worker’s employer. Sponsorship of third-party workers is usually scattered throughout the company, making access management that much harder.
• Third-party workers don’t always have the ability to do self-registration for access, placing a heavy burden on your help desk employees.
• There is a limited understanding of how much access is necessary in the first place, meaning organizations run the risk of over-permissioning their third-party workers.

Saviynt Third-Party Access Governance (TPAG) provides complete third-party identity management. Start the relationship off securely with seamless onboarding, then simplify lifecycle management with automation and AI-driven identity intelligence. Manage third-party identities in the same system as your badged employees and make continuous compliance a reality in your organization.