Third Party Risk Management

Continuous Monitoring of Critical Vendors

Organizations that make continuous monitoring of critical vendors a part of their holistic and life-cycle based risk management program more frequently achieve business objectives. Jaymin Desai (TPRM Offering Manager at One Trust), Nasser Fattah (US Steering Committee Vice-Chair, Shared Assessments, Cyber, IT, and Third-Party SME), David Brintworth (Info Security Governance Manager, Iron Mountain – UK, Shared Assessments UK, and Steering Committee Member) and Charlie Miller (Senior Advisor at Shared Assessments) called on their extensive experience managing programs and technologies in Third-Party Risk as they outlined best practices for continuous monitoring of critical vendors.


To begin, the panelists explored the constantly changing threat landscape.  To understand a critical vendor’s risk posture, having information readily available from continuous monitoring is key. Organizations should use services that allow third parties to update their security and privacy.  Additionally, organizations should employ technology that has the ability to update information on how one is managing existing third-party risk – all of which should be monitored over time. A challenge in continuous monitoring is that reporting tends to focus on internet-facing security bringing attention to web applications not actually used by customers. Working with report vendors will take false-positives out of the reports to make continuous monitoring information more relevant and valuable for everyone. With an understanding of a challenge, establishing an actionable engagement from vendors is possible – data should be actionable and translatable.


Next, the webinar turned to examine the importance of understanding one’s risks and processes from different perspectives. A good starting point for continuous monitoring is to identify inherent risk based on a businesses’ overall use of third-party. From there, one has to determine and prioritize different third parties for continuous monitoring. Continuous monitoring can give a quick snapshot of risk posture when using it to evaluate many vendors. This visibility enhances understanding risks associated with a vendor.


New methods are being integrated into TPRM programs such as virtual assessments, assessment repositories, and continuous monitoring. From a process and technique perspective, many risk programs are conducting reassessments of vendors based on an initial assessment. Risk programs are grouping technologies together to create risk profiles that allow automated monitoring over time. Being able to leverage technology in this way provides better service to customers. Due to COVID-19, remote assessments have become and will continue to be more common.


In conclusion, there are many different techniques used for monitoring. An organization has to prioritize key components to monitor and determine approaches to build out over time when it comes to third parties. It is important for organizations to understand how they want to leverage continuous monitoring to help with day to day activities. Start small and take a risk-based approach. Monitor according to the risk and be flexible with what you have before you. organizations should be regularly assessing their own programs and adjusting as needed.


An archived recording of the session can be found here.