IIA Canada National Conference - Call for Presentations deadline January 29, 2021 4:00 pm EST

How to Address the Increasing IT Risk of Third Parties

Day 2 - Concurrent Session 7 - Track 5
16 Sep 2020
14:35 - 15:25
Day 2 - Concurrent Session 7 - Track 5

How to Address the Increasing IT Risk of Third Parties

Level: Intermediate

The presentation will discuss the following aspects:

Initial Vendor Review

  • strategy and fit for purpose 

  • financials

  • reference clients 

  • process reviews

  • any third party audits conducted by the firm (and rights to review whenever an audit was completed)

  • detailed questions about their processes, key performance indicators (KPIs) and key risk indicators (KRIs)

  • IT review

  • Physical security review


  • Right to audit

  • Provide ongoing services in case there is a change of control

  • Provide transition services in case there is a change of control

  • Business driven items such as processes, KPIs, KRIs, etc

  • Share any third party audits such as 3416s/ SOC and their internal audit findings 

Ongoing diligence:

  • Actively monitoring and managing the vendor.  

  • Third party audits and particularly action plans to resolve critical and high rated items

  • Business review to make sure nothing major has changed with strategy, acquisitions, etc

Further, related to Cyber Security the presentation will discuss:

  • Data Security and Privacy

  • Business Requirements and Design Review

  • Asset and Configuration Management

  • Change Management

  • Vulnerability / Patch Management

  • Security Monitoring and Incident Response

  • Cloud / Network Architecture

  • Business Continuity / Disaster Recovery

  • Access Control Management

  • Vendor Security

Further aspects:

  • Information security policies

    • Policies for information security

    • Review of the policies for information security

  • Organization of information security

    • Internal organization

    • Mobile devices and teleworking

  • Human resource security 

    • Prior to employment

    • During employment

    • Termination and change of employment

  • Asset management

    • Information classification

    • Media handling

  • Access control 

    • User responsibilities

    • System and application access control

  • Cryptography

  • Physical and environmental security

  • Operations security 

    • Including: Backup

    • Logging and monitoring

    • Control of operational software

  • Communications security

  • System acquisition, development and maintenance (including but not limited to)

    • Test data

  • Supplier relationships

  • Information security incident management

  • Information security aspects of business continuity management