Pre-Contract: Risk-Based Approach Flashcards
Pre-Contract: Risk-Based Approach
-Inherent vs Residual Risk
-Quantitative vs Qualitative Approach
-Optimize Risk-based Approach
Inherent Risk
-The level of risk after general information is provided but absent of evaluating any controls in place.
-The inherent risk of a third party takes into account the type of product/service provided, type of data that
will be accessed or transferred, geographical location of the third party, and monies to be spent; but does not take into account the controls the third party has in place to safeguard said data.
Residual Risk
-The level of inherent risk remaining after implemented controls have been assessed and/or discovered risk has been treated.
-Residual risk provides a more accurate picture of the risk landscape of a third party as it evaluates the controls in place for sufficiency and effectiveness.
Quantitative Approach
Relies on objective, measurable data to provide insights into risks. Uses historical data to determine the likelihood that a risk will be realized, as well as the potential impact to an organization.
Qualitative Approach
Focus is on the probability of a threat occurring and how it will impact the company. Risks are usually on an established scale that estimates probability. Risks are also categorized based on the impact to your organization.
Inherent Risk Questionnaire (IRQ)
-The Sorting Hat
-Focus on the critical cyber risks
-Not a due diligence effort
-Very tempting to jam everything in the IRQ, but you don’t want to do that.
-The IRQ you’re looking to determine a set of 10-20 questions, don’t ask a lot of questions you’re going to ask based upon the triggers.
IRQ Template
In-depth look at questions leveraged to categorize initial third party risk and determine level of due diligence required.
-Will the third party have access to data?
-What type of data?
-Volume of data the vendor will access, store, transmit, or process (in aggregate).
-Is this a hosted solution or service?
-Hosted means it’s not with you or their facility.
-Does this third party have direct/indirect contact with your customers?
-What is spend over the lift of the contract?
-Does this relationship present a regulatory risk?
-How critical is the product/services this third party provides to the business/organization?
-Is any aspect of this product/service, including subcontractors, located offshore?
-Does this third party support the organization’s critical infrastructure (software, hardware, datacenter, internet provider)?
-Does this third party have a material subcontractor (any aspect of the product/service provided by the third party outsourced to a subcontractor)?
-Does this party have access to company networks?
-How long will it take to replace this third party, if needed.
IRQ Template Notes
-Hosted means it’s not with you or their facility.
-This is before due diligence. The response to these questions will determine your next steps. Determine what questionnaire you will have completed.
-Who completes this questionnaire? Start with your business that will be using the software. They may not always know exactly what is being provided to the vendor if they don’t rate it high until you do know.
-Run all of your vendors through IRQ
