Third-Party Security Findings Management

Findings Management is a Core Challenge

Working with third parties to remediate findings identified in their systems and processes is a key challenge for many organizations. Programs often have defined methodologies for assessing the risk posed by findings so they can be prioritized for remediation. However, because it has been difficult to identify leading industry practices, these processes can feel imprecise or even arbitrary both within organizations and to their third parties. This frequently leads to lack of third-party cooperation with the remediation process, in addition to a general sense of uncertainty regarding the efficacy of risk management activities.

A Risk-Based Framework

For this reason, it is a top priority to determine identifiable industry leading practices for findings management. While slight variations exist in terms of naming conventions and risk segmentation method, almost all leading third-party security programs adhere to a consistent approach for assessing the risk posed by findings so they can be assigned a required timeframe for remediation. In general, the risk posed by a finding is made up of two components: exploitation severity and control relevance to the vendor environment. 

In this way, leading organizations determine the criticality of a finding first by determining the impact to the organization which would result from exploitation. In other words, this component seeks to answer the question ‘how much could exploitation of this vulnerability hurt me based on the relationship my organization has with the third-party?’ The other core component assesses the interdependency between the specific control and the vendor’s broader information security posture: ’how much could exploitation hurt the third-party’s systems?’

Findings are then segmented into discrete categories based on the criticality criteria to prioritize mitigating effort. In general, high findings are classified as those which represent both high exploitation severity as well as control relevancy. These often must be remediated within 30 days to minimize risk exposure. On the other hand, if both severity and relevancy pose a low risk, remediation can be addressed over a longer timeframe, frequently set at 90 days. For findings in between representing a medium level of risk, in general 60 days is the required timeframe for remediation.

Partnership Building and Cascading Value

To obtain the most value from the findings management process, industry leading organizations are integrating it into broader third-party risk management efforts. Based on a specific third-party’s findings history, assessments can be scoped to ‘right-size’ assurance requirements and target specific control areas. Similarly, when it comes to ongoing monitoring, finding records are utilized to drive requirements, with third parties showing a consistent track record of control implementation being deprioritized. Finally, trends based on third-party type, product category, and other key features are identified to inform a proactive risk management approach.

Implementation of a robust third-party findings management process drives benefits beyond individual organizations to the broader third-party ecosystem. Third-party Information Security programs can utilize routine participation in assessment and findings remediation processes to ensure they are evolving along with the threat landscape. Broad application of remediation requirements encourages consistent adherence to industry standard configurations, improving overall security throughout the supplier ecosystem. Additionally, routine cooperation between organizations and their third parties to perform cybersecurity assessments can drive overall service and partnership quality improvements. In this way, the findings management process can evolve from a challenge to a key source of value to the organization, its third parties, and broader cyber ecosystem.