In this week’s blog we share an overview of third-party assessments for cyber security. We cover why they’re beneficial and what to expect. Lauren Bellero spoke to Sean Falconi, a managing consultant with Delta Risk in risk management and compliance, to get his thoughts on this topic. Sean has performed many third-party assessments covering a wide range of industries.
Q: In your own words, can you give me an overview of third-party assessments related to cyber security?
A: Third-party assessments are independent evaluations performed by a security vendor. They’re designed to be helpful and collaborative, and that's how we approach them. The first thing I usually emphasize is that it’s not an audit. Attitudes are different with an audit. Assessments aren’t designed to embarrass people or to point fingers, but to help companies make informed decisions.
Assessments are typically risk-based or compliance-based, but could be related to data, too. Additionally, an organization could be sharing their data with a subcontractor and want to know more about how and where that data is being used or stored, who has access to it, and whether it's encrypted.
Q: How do you know what to look for when conducting an assessment?
A: It really depends on the customer and what they need. We assess against a framework, like National Institutes of Standards and Technology (NIST), and International Organization for Standardization (ISO). The NIST framework is usually used by federal, state, and local governments, and ISO is usually used by corporations and other market-driven companies.
Or it could be another framework entirely, like a hospital with personal and medical information. They might need to comply with HIPAA regulations, for example. I’ve also done work for companies that have taken components from several different frameworks and made their own. Establishing a framework and customer objectives are crucial because it helps us know what to focus on during the assessment.
Q: What else is important to know about the process?
A: It’s important to make sure the assessor has all the documents they need and access to the physical site, if necessary. It's also helpful to have access to documents that may need to be reviewed ahead of time. This might seem small, but no one wants to show up for an assessment, or be working on one, and not have everything they need to complete it. Everyone needs to be on the same page because we want to be as efficient as possible.
Q: What’s the typical time frame for a third-party assessment?
A: It varies, but the average is about a day for doing the actual assessment. It can be done in person, or via WebEx or Skype, which saves on travel costs. One thing that helps is having plenty of lead time to schedule an assessment. One or two months is ideal and can save you money.
Having said that, one of the benefits of Delta Risk is that we're responsive and can do emergency or last-minute assessments, and we have done those before. People can come to us for any scenario. For example, if a company wants to enter into a business relationship with another company for a contract or specific job, and needs an assessment quickly, we can help.
If you need a third-party assessment, or want more information, Delta Risk can help! Contact us here.
Q: Are there any trends you've noticed across the assessments you've done in the past year or so?
A: One thing I’ve found is that companies usually have an incident response plan for what they would do in the event of cyber security incident. However, something that I’ve noticed is that notification plans, especially if another company is involved, aren’t spelled out. A company often knows what needs to be done but hasn’t laid out the steps or a timeline for how soon the other party should be notified, who specifically should be called or emailed, and how they should be communicated with, things like that. It’s like if you see an emergency on the street, and someone yells “call 911” versus them pointing at a specific person and telling them to call 911.
Q: Why would choosing Delta Risk to do these assessments be beneficial?
A: One advantage of working with Delta Risk is the deep subject matter expertise our assessors have in various industries. For instance, one of our assessors has experience in the financial services and banking industry. He can speak in-depth about banking operational procedures, and the resulting assessments include detailed and insightful observations.
One of our other assessors has experience in commercial construction and construction management. During the physical security and environment component of a recent assessment, he evaluated the current configuration of a client’s back-up media location. Because he had reviewed their system inventory and network diagram as well, he was able to show them how a new proposed back-up location would violate their existing security framework because their personnel access control procedures would have changed. This allowed the client to make risk-based, cost-effective decisions about their renovation plans, and stay in compliance.
We’ve worked with all types of frameworks and can also create one for a specific business or risk need. We’re also flexible in working with clients and their timelines. In addition, we have a lot of experience conducting incident response table top exercises and evaluating incident response plans. Our assessors draw directly and indirectly on this experience.
A third-party assessment and an audit are very different things. Assessments are designed to help you make informed decisions, not to point fingers or blame. It’s also important to make sure the assessor has all the documents they need before they start the assessment, which will save you time and money. If you’re looking to have someone help you with assessments, check to see what industry experience they have. Finally, make sure that whatever vendor you work with can tailor the assessments to include risk questions, help with due diligence, and give you detailed, actionable insights.