Complexity of Vendor Risk Management
A third party risk assessment should not be one size fits all and needs to be well thought over and a strategy and plan put in place, according to global, industry best practice and documented to address the different types of third parties.
​
You may have a vendor with 1 user and full access to the CRM while another third party may have multiple users with access to non-sensitive data and/or systems, while another third party may be providing a SaaS platform with no access but their SaaS platform stores all your sensitive data.
We work alongside you to strategise how to classify third parties according to risk profile.
How it Works
Strategy Workshop
StickmanCyber will work with you to map out types of third parties and classify them as critical, high, medium and low while taking into consideration the type of data (e.g, sensitivity) , the type of access (e.g, remote or on-site), the amount of data concerned and storage locations (eg Cloud or on-prem or hybrid).
​While each 3rd party organisation may be different, a third party risk profile is based on 4 main principles:
(1) What type of access does the 3rd party have?
(2) What kind of of data does the 3rd party have access to? and
(3) What amount of data do they have access to?
(4) What can they do with the data (eg. read-only, read-write, etc)?
​
Initial Threat Intelligence Assessment
StickmanCyber will perform a detailed internet-based hacker intelligence gathering exercise to identify any known threats and vulnerabilities and provide analysis and of our findings on exactly how a hacker views the gaps in your 3rd party’s environment as well as recommendations for remediation.
Risk-assessment questionnaire for vendor categories
From our workshop, we prepare a document that details out the findings, types of third party and classification of third party . This then leads to next steps "
-
Develop custom questionnaires (3 to 4 types) required for each type of third party
-
Validate the confirm all the questionnaires
-
Final presentation and sign off
-
Upload and set-up the StickmanCyber platform with the questionnaires.​
​​
​
​
​
​
​
​
Ongoing Threat Monitoring
StickmanCyber will also proactively monitor your 3rd parties to identify unauthorised activity and suggest remediation for potential threats before they occur.
​
​
Due Dilgence for each vendor
StickmanCyber will use its third party risk assessment platform to build a workflow to reach out to the third parties and ensure they complete the questionnaire and provide the relevant evidence (as appropriate).
In certain instances, a third party (mostly with larger third party's like Microsoft, AWS etc) will not complete a risk assessment questionnaire and in such instances our teams will go over the data and information they have provided publicly to assess their risk and report back by completing the questionnaire based on the available information.
StickmanCyber will analyse the response and any evidence to ascertain the 3rd party risk identified and report back to CancerQLD with details of the findings and our recommendation, with a risk score.
Future Proof
Regularly updating risk assessment criteria based on geopolitical, economic, and technological shifts enhances long-term vendor risk management. We help you anticipate and prepare for these shifts.
​
​