Saturday, February 04, 2012
  Search

 

Business, legal and regulatory risk management focuses heavily on the environment we control, the world inside our borders. But what about the risk posed by our third party suppliers and partners. Increasingly business reputation and loss is a result of control failure in these relationships. Agenci provide experienced solutions to the assessment and management of third party data privacy and controls.

Agenci specialise in third party and partner assurance from the technical of data centres and call centres to the business focussed delivering marketing services. We have reviewed thousands of client suppliers and partners. Agenci are expert in industry control frameworks including SAS70, PCI DSS , ISO 27001, Data Protection Act and third party governance.

Outsourced Solutions

Due Diligence

Before entering into a relationship with a supplier we perform a due diligence service that covers financial, business and technical capability and validity. The due diligence service informs our clients and allows them to make decisions, seek pre engagement remediation or work on mitigations. Our technical due diligence can cover infrastructure, hosting, development, applications, call centre to name a few.

Third Party Management

We provide a full third party management service for our clients from due diligence, procurement, contract management, engagement, service level management, review.

Third Party Assurance

We provide a full third party assurance service that covers the modules presented here and also includes all intellectual property developed with our client, training and awareness and lower fixed price costs.

 

Modules

 Third Party Identification

We help clients to identify their third party suppliers and partners. We can deliver third party processes and associated intellectual property to simplify and coordinate third party identification. Often we find that many departments and individuals hold lists of third parties engaged but there is no organisation level overview. If you do not know the third party landscape you cannot begin to understand the risk to your reputation and assets.

Third Party Risk Assessment

Different third party suppliers and partners will pose different risks to an organisation based on the what services they provide and an organisations internal risk management methodology. We can deliver third party risk management and associated intellectual property where an organisation has no internal methodology. Alternatively we can incorporate and ensure an organisations methodology is applied.

Third Party Prioritisation

We prioritise based on risk assessment and business knowledge. The reason to prioritise third parties is to ensure effective and targeted us of resources to reduce the biggest risks to reputation and assets. We seek to split the third parties into 10% highest priority, 70% medium priority and 20% lowest priority by engaging relevant parts of the business in the process and ensuring organisation wide agreement. 

Data and Asset Mapping

We map the assets and data that our clients share with third party suppliers and partners to ensure that the right assets and data are being shared with the right organisations and only that which is needed is shared. Often relationships develop over time, are historic and assets and data that are no longer required are still shared. We also work with the third party to fully understand where the assets and data are transmitted, stored, processed and further shared and with which of their third parties.

 Contract Identification and Review

We identify and review all relevant contracts for third party suppliers and partners with particular emphasis on clauses for liability, right to audit, asset and data protection obligations. We find that in most cases organisations do not have contracts in place with their third party suppliers and partners. 

.

Modules

Administrative Review

We perform an administrative review that includes the management of a third party questionnaire, tracking and associated follow up for remediation. The questionnaire is based on legal, regulatory and industry standards. It can be tailored if required. Typically an administrative review is performed as a foundation for all third parties

Evidence Based Review

We perform a detailed evidentiary review of the controls that are in place. This includes a review of policy and procedure documentation, interviews with key third party staff, an onsite visit and detailed review pertinent to the services that third party provides.

Legal and Regulatory Review

We perform a review of the legal and regulatory requirements as applied to our clients instance or installation. Often an organisation is accredited by ISO27001, SAS70 or PCI DSS but that does not mean that our clients are compliant. It comes down to the scope and applicability of the third parties compliance. We audit and review this and track remediation where required.

Data Centre Review

We preform detailed data centre reviews that includes administrative controls, third parties involved in the service offering, physical security review, audit of installation against contract, risk and security assessment. Just because a data centre is large or accredited as being secure it does not mean that our clients installations are.

Internal Report

We provide detailed internal reports for evidentiary reviews. We provide summary management information, gap analysis,  tracking information, remediation status, weekly updates, for all reviews. Not all actions will lie with the third party and these are also laid out in our internal reports.

External Report

We provide sanitised, focused remediation reports that are shared with third parties and include elements only pertinent to them.

Agreed Remediation Plan

We work with our clients and the third party to agree the prioritisation or the findings, which will be addressed and by when and which will be accepted.

Remediation Tracking 

We track the third party through their remediation to completion based on mutually agreed priority and timelines.

 
Copyright 2011 by The Agenci Ltd