Backbone continues to deliver on its commitment of premier customer service and high quality deliverables with our Third Party Risk Management (TPRM) service offering. Through this service, Backbone can produce detailed risk assessment reports supported by top-notch workpaper documentation to provide management an informed review of a third-party’s control environment and maturity of their IT governance platform. Whether evaluating prospective partnerships as part of an RFP or performing a cyclical review of pre-established vendors, Backbone is able to quickly review the scope of the engagement and identify the associated risks to your organization. Backbone's TPRM service includes the following activities:
Right-Sized Risk Assessment: A review of the overall risk rating of each third-party will be performed by reviewing the engagement scope with the internal relationship manager to get a clear understanding their service offering and the important risk factors associated. This initial exercise will assist in determining the depth of the assessment necessary commensurate to the risks involved. Risk rating criteria includes but is not limited to: data classification, number of users, data hosting model, number of records, privacy considerations, regulatory requirements, access to internal network, etc.
Third-Party Questionnaire: A dynamic risk assessment questionnaire will be assigned to the designated external relationship that will focus on key domains to understand the procedures, technologies and controls established. Questionnaire domains include but are not limited to: policy governance, user administration, data center hosting, audit logging/monitoring, change management, incident response, business continuity, third-party management, etc.
Contract Review: A review of the proposed or existing contract (for pre-established third-parties) will be performed to ensure the necessary legal coverage has been captured. Contract review criteria includes but is not limited to: right to audit, termination, privacy, data breach notification, information security, indemnification, records retention, etc.
Evidence Gathering: A review of requested third-party documentation will be conducted to verify that key business processes have been established and that supporting controls have been well designed and are operating effectively. Evidence requests include but are not limited to: SSAE 16 (SOC) Type II reports, governance policies, standard operating procedures, vulnerability scans, penetration tests, network/dataflow diagrams, subservice audit reports, etc.
Defense-In-Depth Interview: A review of the completed third-party questionnaire and supporting evidence will yield additional follow-up questions best handled by a ‘defense-in-depth’ interview with the third-party’s technology SMEs. This approach will assist Backbone by peeling through their layers of security to best understand how the third-party will truly protect a customer’s confidential information. The interview will be used to address unexplained gaps in the questionnaire and concerns regarding potential findings.
Reporting & Communication: The reporting process will include the formally documenting report the 1) scope of the service offering and third-party background, 2) executive summary of the overall opinion and risk rating, and 3) summary of findings, remediation recommendations and timeline. A final internal report will be communicated to key stakeholders and the business and IT risk management teams will have the information necessary to determine next steps.
Backbone’s TPRM service is a “must have” solution for today’s enterprise, from Fortune 100s to SMBs alike. Whether a client’s initial program is just getting formed or a mature process in place, our dedicated team can quickly assist your IT function in producing a more efficient and sustainable process. Backbone has a team of Certified Information Systems Security Professionals (CISSP) that are qualified to conduct third-party risk assessments.
Third-Party Risk Management Service
A Division of CynergisTek, Inc.