I see third party risk as an interesting (and frustrating) conundrum. The primary point of control to avoid risk is pre-engagement at the time the relationship is being established. Presumably the third party wishes to do business with your company, and you or your ISO can insist on their completing a security questionnaire. You can review their responses and perhaps probe a little deeper. Ultimately, you can insert contractual language and you might even insist on certain controls and yearly reviews of their controls to assure they are keeping up with the measures...

In the end, only the most robust information security teams would be able to keep up with this over time. Partnerships are the key to success in any industry and these relationships will multiply. At best, the vendor responses will be reviewed and filed. It will become an administrative process. A burden. But will there be value in the process?

Certainly network controls can be put in place, and networks secured from less trusted networks. But if your data flows to external partners, it's a bit like your children going for a sleep over at he neighbors... You have very little visibility or control once they leave your home.

I believe that at its core, this issue is far less an "information security" issue and far more one of "risk management". The contract is key here. Not just in control and process assurances, but in indemnification and compensation. Perhaps a measure of success here is to really understand, identify and call-out in the contract strong terms for financial and reputation damages.

share your thoughts on this subject.