Management of 3rd Party Risks

Management of 3rd Party Risks

What Sets Our Services Apart
Our security experts have decades of combined experience providing documentation, 3rd party due diligence, engineering, consulting, and training services with respect to many different security frameworks and sources of regulatory guidance, including:  NIST, ISO, COBIT, SANS, FTC, SEC, CFTC, FFIEC, NYDFS, FINRA, and HIPAA/ HITECH.

Our SANS- and CISSP-certified engineers, white hats, and technical policy (C&A) specialists have the ability to parse and apply these standards in detail, and, because we are an engineering firm with a bench of more than 350 developers, architects, DBAs, and cyber specialists, we are able to properly apply these standards and deliver value by vetting, integrating and monitoring your internal and 3rd party risk data.

Our 3rd Party Risk Management Services
Our 3rd party risk management services can be tailored to meet the operational, training, and reporting needs of your organization.  They include the following:

Data Mapping

  • Scans and Verification of 3rd party Data Flows
  • Construction and Application of 3rd party-focused Use Cases

Technical Documentation

  • Creation of 3rd party Risk Policy Documentation
  • Periodic (Quarterly) Documentation Updates

Due Diligence & Verification

  • Mapping and Direct Interface with Key 3rd parties
  • Comprehensive 3rd party Risk Reviews and Documentation (completed by NES Cyber)
    • Independent and Data-driven
    • Includes: 3rd party Contract and Service Level Agreements (SLAs) Reviews
  • Periodic or Event-driven Risk Check-ups and Documentation Updates
  • Identification and Prioritization of 3rd party Risk Factors

Prioritization of Vulnerabilities

  • Custom “Heat Mapping” to Assess/ Address: Client and System Access Controls, Patch Levels, Personnel Training Levels, Access Controls, etc.

Remediation (Engineering Fixes)

  • E.g. Access Controls, Encryption, Firewalls & Segmentation, IDS/ IPS, Netflow Analysis
  • E.g. Malware or Threat Actor Identification and Eradication
  • E.g. Incident Handling & Response (On-site)

Periodic Reviews and Updates

  • On-going (Quarterly) Monitoring of 3rd party Controls
  • On-going (Quarterly) Reporting on 3rd party Data Flows

Training regarding 3rd Party Risk Management

  • Staff Training
  • Advanced Training for: Compliance staff, IT Staff (internal or external), and Senior Management