This article was written after examining the information security risk management capabilities of eight popular commercial software solutions marketed to facilitate third-party risk management process through "self-assessment" surveys. The author argues that none of these solution vendors incorporated the core components of a mature information security risk management process as part of their off-the-shelf offerings. For the most part, the solutions were simple surveying and response scoring software, which is insufficient for performing risk assessments, as defined in ISO 27005 or NIST Special Publication 800-30. In response to the identified deficiencies, this article proposes a practical third-party risk management process for improving the usefulness of the "self-assessment" method. The majority of the process items were tested in the real world. Both - organisations that perform third-party risk assessments and solution providers can benefit from understanding the examined deficiencies and adopting the process in the real world.
Veselin Monev
Department of National and International Security, New Bulgarian University
Bulgaria
e-mail: VeselinMonev@gmail.com
Abstract:
Key words:
risk
self-assessment
information
security
third-party
Section:
Topics: