TPRM Onboarding Guide

Overview

Third-party risk management is essential in cybersecurity, especially as organizations increasingly depend on external vendors, suppliers, and service providers. These relationships can introduce risks to your organization, such as data security breaches, financial instability, and operational disruptions. SAFE offers a comprehensive solution to help you assess and mitigate these third-party risks effectively.

Key Features

1. Risk Scenario Identification: SAFE identifies and assesses risk scenarios specific to third-party relationships, such as data breaches, supply chain disruptions, or regulatory non-compliance.

2. Breach Likelihood Calculation: SAFE calculates the likelihood of a breach within a specific risk scenario, considering threat actor capabilities, attack surface, and existing controls.

3. Loss Magnitude Estimation: SAFE estimates the potential financial loss associated with a risk scenario, factoring in business resources and assets.

4. Control Recommendations: SAFE provides actionable insights and recommendations for implementing or enhancing controls to mitigate identified risks.

5. Peer Benchmarking: SAFE offers industry benchmarks and peer comparisons, helping organizations assess their risk posture relative to industry standards.

Risk Management Process

1. Identify Third-Party Relationships: Catalog all third-party vendors, suppliers, and service providers, including associated business resources and assets.

2. Assess Risk Scenarios: Evaluate potential risk scenarios for each third-party relationship, considering data sensitivity, regulatory requirements, and service criticality.

3. Calculate Breach Likelihood and Loss Magnitude: Use SAFE's quantitative risk analysis to determine breach likelihood and estimate potential financial impact.

4. Implement Controls: Based on SAFE's recommendations, implement or enhance controls to mitigate identified risks.

5. Monitor and Review: Continuously monitor third-party relationships, reassess risk scenarios, and review the effectiveness of implemented controls, making adjustments as needed.

By leveraging SAFE's comprehensive third-party risk management capabilities, organizations can proactively identify, assess, and mitigate risks, ensuring the protection of sensitive data, business continuity, and regulatory compliance.

Step 1: Add Organization

To start managing third-party risks, the first step is to add your organization’s details into the SAFE platform.

How to Add an Organization

Individual Upload

• Purpose: This option is for uploading details of a single organization.

• How to Use?

  1. Navigate to the “Add Organization” section.

  2. Enter the organization's details as outlined below.

Bulk Upload

• Purpose: Use this feature to upload a list of organizations all at once.

• How to Use?

  1. Download the bulk upload template from the platform.
     

  2. Fill in the required details in the template.

  3. Upload the completed template to the platform.

Organization Details Required

1. Organization Name: Enter the name of the organization.

2. Domain: Input the organization’s domain or URL.

3. Revenue: Provide the revenue figure in USD. Enter the complete dollar amount.

4. Industry: Select the industry in which the organization operates.

5. Country of Service Delivery: Choose the country where the service is provided.

6. Assessment Type: Select the type of assessment.

7. Business Resource: Specify the business resource.

8. Inherent Risk: This field is not editable but computed from "Business Resource" input.

9. Tier 1: If Inherent Risk is enabled for your organisation, this field will be reflected here. Adjust tiers based on criteria like business resources (Network, Data, and others) and risk levels, and rename or modify them as needed.

10. Random Field: Fill in the random field if applicable. Sidharth Wahi What is this field for?
    

Once you've filled in the required information, proceed to the onboarding page.

Step 2: Complete the Onboarding Process

After adding the organization, you will land on the onboarding page, where you can fill out the following details:

• Overview: Displays onboarding status, aggregated risks, top control recommendations, top risk scenarios, and critical outside-in findings.

• Outside-In: Automatically selected for all third-parties, providing insights such as report cards and footprint details.

• Questionnaire: Fill out the Third-Party Financial Impact Questionnaire and other relevant questionnaires like NIST CSF, ISO 27001-2022, and SOC 2 Type 2 to assist in the security control assessment. Compliance assessments can be uploaded in PDF format.

• Assets: List and review critical assets associated with the third-party.

• Controls: View and assess third-party controls, including the top and worst-performing controls.

• Details: Review and update the organization details.

Step 3: Real-Time Visibility with Out-of-the-Box (OOTB) Risk Scenarios

SAFE offers OOTB Third-Party Risk Scenarios that are FAIR-compliant. These scenarios include:

• Ransomware without Data Exfiltration

• Data Exfiltration

• DDoS

Outside-In Assessment

The Outside-In assessment is triggered once a third-party is added, providing business context to outside-in findings. It includes:

• External Email Security Assessment: Using the primary domain.

• Digital Footprint Enumeration: Comprehensive entity attribution using the primary domain.

• Web Application Security Headers Assessment

• TLS/SSL Misconfigurations and Certificate Issues

• Open Ports Exposures

• Malware Servers Assessments

• DNS Security and TypoSquat Domains Assessment

IPs and domains are auto-onboarded as part of the assessment, and outside-in findings can be reviewed under the Threat Intelligence Program control.

Step 4: Questionnaire and Zero Trust Controls Assessment

Questionnaire Assessment

Assess Third-Party FAIR-CAM controls using the following questionnaires:

You can upload existing questionnaires to mark the maturity of FAIR-CAM controls and upload PDF reports for ISO 27001-2022 and SOC 2 Type 2 compliance documents.

Zero Trust Controls Assessment

For a deeper analysis, apply Zero Trust control assessment to understand the effectiveness of your controls towards third-parties. Create a separate group for this assessment, where you can:

• Onboard Technology and People Assets

• Configure Integrations

• Upload Questionnaires to Assess FAIR-CAM Controls

Step 5: Enterprise SaaS Product Capabilities and Third-Party Tiering

Third-Party Tiering

Introduce scientific tiering of third-parties based on loss magnitude using FAIR-MAM industry standards. This ensures that the most critical and risky third-parties receive the necessary attention. Loss magnitude thresholds are pre-set based on your organization’s revenue but can be modified as needed.

Step 6: Dashboard Reporting

For a quick overview of your organization, SAFE offers a preconfigured Organization Risk Dashboard. You can easily select this dashboard from the dropdown section in the dashboard menu. This dashboard provides at-a-glance insights into your organization's risk posture, allowing you to monitor key metrics and identify areas that require immediate attention.

Dashboard Reporting

SAFE supports multiple widgets for reporting, including:

• Worst Performing Organizations by Loss Magnitude: This widget highlights the organizations with the highest potential loss magnitude, helping you prioritize risk management efforts.

Why Use Custom Fields?

Custom fields allow you to:

• Capture Specific Data: Add unique identifiers or data points, such as IDs from other systems like Horizon.

• Tag Organizations: Categorize organizations based on specific criteria that are important to your business.

• Slice and Dice Your Portfolio: Use custom fields to filter and segment your portfolio, making it easier to analyze and manage your data.

How to Create and Use Custom Fields in SAFE

1. Create a Custom Field:

   • Go to Settings > Custom Fields. Click Add Custom Field.
     

2. Select category and add custom field details:

   • Pick a category for your custom field. You have two choices:

     1. Asset

     2. Organization

   • Give your custom field a name and fill in the required details.
     

3. Assign Custom Fields:

   • Your new custom fields will now appear in the Organization's Custom Field tab.

   • Select the custom field for the organization.
     

   • Use these fields to add organization-specific data. This data can then be used to filter and view particular segments of your portfolio.

By using custom fields, you can better manage and understand your organization's data in SAFE, making it work just the way you need it to.

Conclusion

By following this guide, you can seamlessly onboard into SAFE, taking full advantage of its third-party risk management features. SAFE provides a powerful and flexible platform to ensure that your organization is prepared to mitigate the risks associated with external relationships while maintaining a robust security posture.