Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create third-party-due-diligence.md #515

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create third-party-due-diligence.md #515

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions content/outcomes/MISC/third-party-due-diligence.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
//Outcomes from Third Party Due Diligence session
##Why
Every company has their own third party due diligence methods. Mostly a mix of questionnaires, open source investigations, sometimes onsite assessments. This is not efficient in today's world as poor vendors are forced to spend 100s of hours each year filling in questionniares with same or similar questions over and over again.
## What
I believe we should have a restricted opensource platform where the members would agree on a framework and scoring system for third party due diigence from cyber perspective. (later may be expanded in other compliance areas too)
This should perform the evaluation, follow-up assessments annually (or at major changes like M&As), tracking for resoltuions of the findings..
Things to consider:
Are we assessing the corporate controls of the vendor or their solution's security, or both?
What framework or frameworks best suited for this? MITRE, NIST, ISO??
Scores on maturity, flags on category of information classification that is recommended to be shared with the vendor (i.e. do not share non-public information with this vendor until they remediate findigns A, B, C)
Funding for the activites - should we form a consortium like what FS-ISAC does for threat intelligence?
If the third party is critical outsourcing partner, would the standard evaluation be sufficient, or should there be additional things to consider.
## Outcomes
So to wrap up from the session; we found at least three companies who already do the service but as a commercial offering.
These are;
OneTrust Vendorpedia - https://www.vendorpedia.org/
RiskLedger - https://app.riskledger.com [requries login details which I don't have]
IHS Markit KY3P - https://ihsmarkit.com/products/ky3p.html

Next steps: I am not sure how to move this forward
Ideally we would ;
either find a government body to sponsor this but this seems like killing businesses which provide third party risk solutions
Or, reach out to financial sector big players (big banks) to form a consortium like the one for threat intelligence (FS-ISAC)
Or, get one of the commercial ones to turn it into an open source model

## Who
If you are interested in getting invovled in this activity, please message me (Didar Gelici) on Slack or any social media messaging.