Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

View TPRM Risk Through Four Lenses

Home
Industry Insights
View TPRM Risk Through Four Lenses

Blog Article Published: 07/11/2022

This blog was originally published by Coalfire here.

Written by Jon Knohl, Coalfire.

Organizations can more effectively evaluate their risk profile by measuring confidentiality, integrity, and availability as they each relate to the enterprise-wide domains of financial, regulatory, reputational, and operational risks.

Key takeaways:

  • Proactively addressing risk is more cost effective than handling a breach that has already occurred
  • It’s critical to make sure you understand which compliance frameworks impact your industry, and know whether your program meets the requirements
  • Include your Procurement, Information Technology, and Public Relations departments in your breach planning activities such as scenario building

In recent years, as attackers seek to gain entry and disrupt business through vendors, Third Party Risk Management (TPRM) has proven to be a top priority item for every organization. As organizations mitigate the risks associated with a third party-related attack, leaders should continue to address the risk that third parties present for confidentiality, integrity, and availability. More specifically, organizations should further evaluate their risk profile by measuring them as they each relate to the enterprise-wide domains of financial, regulatory, reputational, and operational risks. In the world of information technology compliance, these four specific domains represent primary risk factors and cover a holistic view of organizations on a day-to-day level.

Financial

Per IBM’s "Cost of a Data Breach Report" published in July 2021, the average cost of data breach rose from $3.86m in 2020 to $4.24m in 2021. The potential financial impact to your organization could be rather detrimental. It’s usually less expensive to proactively ensure that critical functions are meeting the controls necessary to protect your data in the event of breach, rather than shouldering the financial outcomes of responding to a breach. A loss of availability to customers can also lead to violation of contracts which also carries a hefty bill to resolve.

Regulatory

Dependent on your industry, there are a variety of state and federal regulations (i.e. GDPR, CCPA, Sarbanes Oxley, HIPPA, and GLBA) that are aimed at protecting sensitive data. It is critical to ensure your organization is familiar with and adhering to such regulatory measures because failure to meet regulations leaves your organization vulnerable to steep fines and penalties.

Reputational

The negative impacts of a data breach to client data confidentiality includes loss of both customer confidence and competitive advantage. What’s more, your organization can easily inherit reputational impact from a supplier breach. While mitigating reputational risk is challenging, it is essential to prepare for such impacts by making your organization's public relations function aware of your third-party relationships and allowing the function to begin brainstorming about how to mitigate such risks. This typically involves a collaborative discussion between your procurement, information technology, and public relations departments to discuss applicable scenarios that might impact your organization and develop internal and external response options.

Operational

Businesses leverage third parties to support business operations and fill the void in areas your organization is unable to meet. In the event of a loss of availability, your organization's business operations could face the consequences as well. One example is related to payroll as a majority of organizations outsource their payroll function to third party providers. A hit to your organization's ability to process payroll as well as other financial related functions would hinder your ability to do business.

Conclusion

While third party risk can be measured in a variety of ways, the recommendation is to ensure your organization is first capturing risks as they relate to financial, regulatory, reputational, and operational impacts to the business in order to develop a comprehensive view of your company’s third party threat landscape.

ComplianceRisk Management

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

The Data Security Risks of Adopting Copilot for Microsoft 365

Published: 04/16/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024

Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’

Published: 04/15/2024