Monitoring occurs at specific points in time after an initial third party control assessment has been made. The timing of periodic assertion requests or periodic onsite assessments may be based on a number of factors, including: the outsourced product/service presents critical risk levels; industry regulators “encourage” onsite verification; the third party is not forthcoming in its declarations of controls; self-assessment assertions are not providing the outsourcer with an adequate sense of percentage risk relative to its own risk appetite; in response to a loss of proprietary information and/or financial impact; changes in system interconnectivity alters risk levels; documentation needs to be reviewed that cannot be shared off-site; that is, an assessor can only view the documentation on-site and is not allowed to take duplicates with them; there are material process changes at the third party that impact work done on behalf of the outsourcer; a security irregularity suggests that controls are not effective; appropriate continuous monitoring metrics are not available; verification of remediation activities of identified issues; and assurance the relationship is monitored on a proactive basis. Periodic ongoing monitoring generally lacks the timeliness and level of granular visibility required for proactive response to certain Issues that continuous monitoring can provide. Improved and more targeted threat intelligence capabilities are making near real time monitoring an essential component of TPRM programs. Sometimes, continuous monitoring outputs may trigger onsite assessments.
