Goodwill Industries recently fell on bad times when a vendor’s system was attacked by malware, giving criminals access to payment card information—names, payment cards, and expiration dates ((http://www.goodwill.org/press-releases/goodwill-provides-update-on-data-security-issue/)). This appears to be a sign of the times. Over the past year or so, several major retailers have experienced a breach in which a third party played a role: Target ((http://krebsonsecurity.com/tag/target-data-breach/)), Viator ((http://www.viator.com/about/media-center/press-releases/pr33251)), Lowe’s ((http://www.fierceitsecurity.com/story/third-party-vendor-behind-possible-lowes-data-breach/2014-05-26)), and AT&T ((http://www.databreachtoday.com/att-reports-third-party-breach-a-6956)).
Breaches are a fact of life; however, one wonders the effectiveness of these companies’ third party risk management strategies. Doing business in an outsourced economy requires expertise to meet the necessary strategies, processes, and practices when evaluating and managing vendor risk and overseeing the security of sensitive data once it’s in the hands of third parties.
Expertise in risk management is best-learned and maintained though certification programs. These certifications help professionals stay current with regulatory requirements, threats to data, and industry best practices. Over the years, risk management certifications have evolved from the general aspects of risk, privacy, and security to address more specific areas like IT/privacy. Unfortunately, no risk certification exists for addressing the unique expertise for vendor risk management.
The Shared Assessments Certified Third Party Risk Professional (CTPRP) Program
The Certified Third Party Risk Professional (CTPRP) designation developed by the Shared Assessments Program is a new certification that validates proficiencies in assessment, management, and remediation of third party risk issues. Once certified, CTPRP holders will have a thorough working knowledge of third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and knowledge of the fundamentals of vendor risk assessment, monitoring, and management.
The CTPRP certification, the first of its kind, is ideal for third party risk, procurement and compliance professionals including business vendor managers, risk managers (vendor or operational), vendor IT security managers, IT auditors/assessors, and IS auditors/professionals. The CTPRP designation validates the holder’s expertise, and provides professional credibility, recognition, and marketability to its holders.
CTPRP certification requirements include a minimum of five years experience as a risk management professional, in a position that demonstrates proficiency in assessment, management, and remediation of third party risk issues; peer training; participation in Shared Assessments program committees and workshops; mentoring; attending related workshops and other training events; and successfully passing CTPRP examination. Individuals who do not hold the minimum five years experience may use the course and exam for training and education purposes, then reapply once five years experience is earned.
With so much at stake in the event of a data breach—lost revenue, significant brand damage, lawsuits, fines—companies need to take a closer look at their third party risk management practices. Risk management professionals seeking certification through the Certified Third Party Risk Professional program is an indicator that organizations are taking proactive responsibilities to getting their third party risk programs in shape.
Your Opportunity to Certify Is Coming Soon!
Upcoming CTPRP Workshops & Examination Dates:
January 22 – 23, 2015
February 25 – 26, 2015
New York, NY
*April 30 – May 1, 2015
*The Certification Workshop and Exam directly follow the 8th Annual Shared Assessments Summit 2015 Attending the Summit will earn educational credits that can be applied towards maintaining your certification. Register to attend the Summit here.
To learn more or to register for an upcoming CTPRP workshop and exam, please visit www.sharedassessments.org or contact Nicole Musolf, Project Manager, at 505-466-6434 or Nicole@santa-fe-group.com.
Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.