CISOs learn about new data breaches and ransomware every day. So, they put more pressure than ever on their third-parties to provide evidence that they have a strong cybersecurity program. With all the different types of assessments and certifications out there, what’s the definite proof that a third-party can be trusted?
“The more we can assess and test security, the more able we are to calculate the risk of choosing a certain third-party”, says Jon Washburn, CISO at Stoel Rives LLP, and member of the LS-ISAO.
Due to the nature of the services a legal organization needs to secure, it only makes sense that law firms request in-depth certifications and assessments from their vendors that access, process, store and/or transport data… whether those services are provided using technology installed on premise, or in the cloud. Clients put the same pressure on their outside counsel, increasingly requiring a similar level of certification and attestation from their law firms that their security programs are well-developed and that their controls are strong.
Some clients even get deep into insurance requirements, or management of fourth-party risk (including subcontractors and their sub-subcontractors). “Everybody wants to manage that risk somehow, but I don’t think everyone has quite figured out exactly how”, acknowledges Mr. Washburn.
As an experienced executive in the information security field who leads the Stoel Rives LLP information governance and ISO 27001-certified security program, Mr. Washburn thinks that “learning how the vendor is like on the inside using questionnaires or self-assessments” might not be enough.
“I want assurance from a third-party that someone has looked at their organization and verified that they are not just good at identifying strong cyber security controls, but at implementing them”, he states.
Below is a recap of the conversation we had with Jon around ways to assess third-party risk within the legal services industry.
Mr. Washburn, how can a company make sure a third-party meets the necessary security requirements?
One of the things we see a lot when we ask for documentation, especially from smaller organizations, is that they’ll send us their data center provider’s SOC report or certifications. My response to that is, ‘I’m glad you chose a reliable data center provider, but that doesn’t tell me anything about your controls’. That’s the moment when they usually realize they don’t have a mature program in place to be able to demonstrate to us that we can trust them.
Any good security program relies on a qualified external party to regularly perform audits. I regularly pay other people to come and check us to make sure we’re doing the right thing, because I want to have a strong cybersecurity program. I expect our vendors and third-parties to do the same, and at least annually use an external, neutral, qualified auditor to assess them and confirm that they have implemented strong controls – most often either by certifying to an international standard such as ISO 27001, or by being assessed against the Trust Services Criteria used in a SOC audit (or both).
Depending on the level of risk, there are times when we might accept a self-assessment/response to a questionnaire while onboarding a vendor, provided they are also able to include the executive summary from their two most recent third-party penetration and vulnerability test assessments.
What’s the value of having an external auditor check cybersecurity?
Having an unbiased qualified assessor come in and objectively audit a program against an established standard can help us determine how well an organization’s cyber security program has been designed and implemented.
It doesn’t make sense for our organization to assume the expense of annually performing our own audit of every third party. Instead, we expect our third-parties to pay a certified qualified auditor to assess them every year and then share that result with all their customers as required. It cuts down the time it takes for them to respond to audits by their customers because they have one audit that they can share with everyone, and it eliminates the need for each of their customers to individually expend resources on third-party auditors.
What certifications are needed to assess a third-party within the legal services industry?
It depends on the services, and the degree to which you intend to warrant strong information security and governance.
In our case, the third-parties we depend on the most to store, transport, and process our information need to at least annually provide SOC-2, Type 2 attestations. Depending on the type of information accessed, additional certifications such as ISO 27001, ISO 22301 and HITRUST CSF may be required. Cloud services where we store backups, host data and collaborate on files also have to comply with data privacy regulations such as HIPAA, GDPR and CCPA.
What about organizations that don’t have certifications? Where do they start?
As a member of the LS-ISAO, I’ve been hearing a lot of conversations around the Standardized Information Gathering (“SIG”) questionnaire from Shared Assessments. It’s a great starting point for an organization to benchmark its cybersecurity program, and it can be combined with the executive summary from their last two penetration/vulnerability assessments to provide a foundation for establishing trust in their program with their customers.
I think every organization that has confidential information, and wants to show that they are taking cybersecurity seriously, should be engaging a qualified auditor to audit their cyber security program at least once a year.
To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now:
