Selecting the Right Technology for Your Third-Party Risk Management Program

Effective third-party risk management (TPRM) begins with maintaining an updated vendor inventory and conducting assessments for a prioritized subset of vendors who pose the greatest risk to your organization. Technology and automation play a critical role in your program’s ability to deliver assessments and high-quality risk intelligence to the business in a timely fashion. Applying the right technology in the right places in your vendor risk workflow can also save valuable time and money that would otherwise be spent on costly manual processes and systems. Read More

Healthcare’s Gamble with Business Associate Breach Risks

Security breaches from third-party Business Associates and related regulatory penalties are piling up for healthcare entities this year. In a joint presentation with CORL in June 2020, the US Office for Civil Rights (OCR) reported that a top source of civil monetary penalties for Covered Entities in 2019 was inadequate management and compliance for third-party Business Associates. Despite the mounting financial penalties and breach costs resulting from third-party breaches, too many healthcare entities continue to gamble with underinvestment in their third-party vendor risk and compliance programs. Read More

Explaining CORL's Processes to Vendors

CORL provides a unique and innovative model for managing third-party risk. However, there are wide range of vendor assessment technologies and solutions on the market including cyber risk scoring tools, GRCs, automated questionnaires, vendor exchanges, and more. This diversity of solutions has generated confusion for some vendors that are trying figure out how and where CORL fits into the picture with supporting your vendor risk program. Read More

NIST SP 800-53 Rev 5: New Supply Chain Control Requirements

The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. A major addition in this revision includes an entire security controls “family” dedicated to Supply Chain Risk Management (SR). This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for third-party risk management programs. Read More

Finding a Cure for Healthcare Vendor Risk | Analysis of the 21st Century Cures Act and ONC’s Cures Act Final Rule

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Enterprise Risk Reporting | The Achilles Heel of Vendor Risk Management Programs

Information security leaders and vendor risk management teams have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks introduced by the modern business supply chain. The inability to effectively communicate meaningful vendor risk metrics that drive informed decisions from the business has become the Achilles heel for many third-party risk management programs.  Read More

Abandoning the Assessment Factory

Remember the days when every organization maintained a troop of IT engineers somewhere in the basement that spent countless days and nights racking, stacking, and networking servers? Everyone had established their own in-house technology infrastructure factory and was deeply invested in managing an operational IT function that was far removed from the core capabilities and mission of the business. That is until one day we collectively realized that IT infrastructure could be better delivered as a service via outsourced and cloud-hosted platforms that more efficiently manage and scale our IT capabilities. Read More

Decoding Vendor Questionnaire Responses

Vendor responses to third-party security assessment questionnaires can have a wide range of “truthiness”. Questions about “how does your organization protect x” or “explain your process for y” can often be met with “yes” or “no” responses or the classic less-then-informative response of “we are HIPAA compliant”. This phenomenon can be chalked up to a variety of root causes, including security responses being completed by sales personnel who have limited security knowledge or expertise, missing security controls and a lack of transparency by the vendor, or pressures of the sales cycle to get responses completed quickly for a large volume of customer security assessments. Read More