Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Third-party risk management: Strategy to mitigate ‘on-premise’ and ‘cloud’ cyber security risks
Cyber Security: A Peer-Reviewed Journal,
3
(2),
103-115
(2019)
Abstract
This paper will attempt to exhaustively identify third-party partnership risks and describe requirements applicable to this relationship in the IT security business context. These entities have, either long-term or for an ad hoc period, occasional access to premises, infrastructures and/or data belonging to this organisation. These physical and logical accesses are a source of risk that all organisations should work to mitigate and avoid the materialisation of related threats and impacts that could jeopardise the achievement of their business objectives. Third-party risk management is the set of risk management practices and processes that adequately mitigate the risks inherent to the relationships between the company and its partners. These partners are identified by the designation of ‘third parties’. The mitigation of risks will be considered convenient if it ensures information assets security and compliance with legal and regulatory requirements and security requirements policies and guidelines. Mitigating these risks requires a different strategy depending on the type of business relationship and the nature of the service. The strategy applied to services delivered by a partner during an ‘on-site’ or ‘on-premise’ relationship has features that are not applicable to cloud-based services. The increasing attraction for cloud services — even for companies considered historically as refractory — requires particular attention to risks associated with this new reality of services. In North America (Canada and US) the use of cloud computing is becoming increasingly important in the public sector (such as government, hospitals) and the private sector operating in sensitive environments (such as ICS/SCADA networks). This paper, which is intended to be a practical tool for developing an IT risk management strategy with third parties, is applicable specifically in technology environments for both on-premises and cloud deployment. It applies to risks related to technological components in multi-client environments as well as dedicated service to specific customers.
Keywords: TPRM; risk; third party; cloud (XaaS; MaaS; PaaS; CaaS; SaaS; IaaS); advanced meter infrasctructure (AMI); ICS/SCADA; human–machine interface (HMI); programmable logic controllers (PLC); remote telemetry units (RTU); ISO 27001; SOC2
The full article is available to subscribers to the journal.
Author's Biography
Moh Cissé MBA, PMP, CISM, CISA, CRISC, ITIL, CFOT, CFOS/O, is a GRC senior consultant at Hydro-Québec Canada Montreal office. Moh has 21 years’ IT/OT experience and regularly advises operational technology companies and IT giants such as Bell Canada and CGI Inc. Moh holds an MBA from Laval University Canada and is a certified cyber security and risk management expert, project manager and lead auditor.
