CISO ADVISORS · SECURITY ADVISORY
3rd Party Risk
Management:
Building from Scratch
A Practical Guide to Standing Up a TPRM Program
From vendor inventory to ongoing monitoring — everything you need to protect against supply chain attacks
Ed Moore, CISSP · CISM · C-CISO · CEH | CISO Advisors | cisoadvisors.com
CISO Advisors · cisoadvisors.com · Confidential
1 / 12
CA
WHY IT MATTERS
Third-Party Risk Is Your Risk
The most significant breaches of the past 5 years trace back to a vendor, partner, or software supplier
CISO Advisors · cisoadvisors.com · Confidential
2 / 12
62%
Of breaches
involve a third party or supplier (Verizon DBIR 2024)
$4.76M
Average cost
of a third-party breach — higher than direct attacks
15K+
SolarWinds customers
compromised via single vendor software update
SolarWinds (2020)
Software supply chain
18,000+ orgs; US Treasury, DOJ, DHS compromised via software update
Change Healthcare (2024)
Healthcare clearinghouse
$22B+ impact; 190M Americans' data; entire US healthcare billing halted
MOVEit (2023)
Managed file transfer software
2,700+ organizations; 95M+ individuals; $10B+ estimated total impact
Kaseya (2021)
IT management software (MSP)
1,500 downstream businesses via single MSP software compromise
CA
PROGRAM STRUCTURE
The 5-Layer TPRM Program Architecture
A complete TPRM program has five distinct functions — each is required for an effective program
CISO Advisors · cisoadvisors.com · Confidential
3 / 12
Layer 1
Vendor Inventory & Classification
Maintain a complete, current inventory of all third parties with data access or system connections. Classify by risk tier (Critical, High, Medium, Low) based on data access and criticality.
Layer 2
Onboarding Due Diligence
Security assessment before any vendor is approved. Questionnaire, SOC 2 review, pen test results, insurance verification. Higher-risk vendors require deeper assessment.
Layer 3
Contract & Legal Protections
Data Processing Agreements (DPA), right-to-audit clauses, security requirements in contracts, breach notification SLAs, liability and indemnification.
Layer 4
Ongoing Monitoring
Annual reassessment for high-risk vendors, continuous monitoring via tools (SecurityScorecard, BitSight), breach notification tracking, performance against SLAs.
Layer 5
Offboarding & Termination
Data return/deletion, access revocation, API key rotation, contract termination, data deletion confirmation, lessons learned.
CA
RISK TIERING
Vendor Risk Tier Classification
Not all vendors need the same level of scrutiny — tier your vendors by risk to focus effort where it matters
CISO Advisors · cisoadvisors.com · Confidential
4 / 12
Tier 1 — Critical
Review: Annual full assessment + quarterly check-in + continuous monitoring
Criteria: Accesses, processes, or stores Restricted/PHI data; OR core business operations depend on this vendor; OR vendor has privileged access to systems
Examples: Cloud providers (AWS/Azure/GCP), healthcare clearinghouses, payroll processors, core ERP vendors
Annual full assessment + quarterly check-in + continuous monitoring
Tier 2 — High
Review: Annual assessment + SecurityScorecard monitoring
Criteria: Accesses Confidential data; OR provides security-relevant services (MSSP, MDR, pen testing); OR significant revenue dependency
Examples: SaaS productivity tools (Salesforce, Workday), security vendors, major IT suppliers
Annual assessment + SecurityScorecard monitoring
Tier 3 — Medium
Review: Biennial assessment; questionnaire only
Criteria: Accesses Internal data; limited integration; low business criticality
Examples: Marketing tools, analytics platforms, minor SaaS tools
Biennial assessment; questionnaire only
Tier 4 — Low
Review: Standard procurement contract review; no security assessment required
Criteria: No access to company data; no system integration; commodity services
Examples: Office supplies, catering, facilities vendors without system access
Standard procurement contract review; no security assessment required
CA
ASSESSMENT PROCESS
Vendor Security Assessment Framework
What to ask vendors — and how to evaluate the answers
CISO Advisors · cisoadvisors.com · Confidential
5 / 12
Assessment Domain
Key Question to Ask Vendor
Information Security Program
Do they have a CISO or dedicated security team? Current ISO 27001 cert or SOC 2 Type II report?
Access Control & IAM
How do they control access to your data? MFA enforced? Privileged access managed?
Data Protection & Encryption
Encryption at rest and in transit? Key management? Data residency confirmation?
Incident Response
Do they have an IR plan? What is their breach notification SLA to customers (must be ≤72 hours)?
Vulnerability Management
Do they run a VM program? When was last penetration test? Can you see the report?
Business Continuity / DR
RTO/RPO for services you depend on? Have they tested it?
Sub-processors & Fourth Parties
Who do THEY share your data with? Do you have visibility and approval rights?
Regulatory Compliance
Are they compliant with applicable regulations (HIPAA BAA required for PHI, PCI DSS for card data)?
CA
TECHNOLOGY
TPRM Tools & Technology Landscape
Platforms and tools to automate and scale your third-party risk program
CISO Advisors · cisoadvisors.com · Confidential
6 / 12
Risk Rating / Continuous Monitoring
SecurityScorecard
A – F ratings; continuous monitoring; breach alerts
BitSight
Industry-leading ratings; insurance integration
UpGuard
Strong for SMB; good questionnaire integration
TPRM Platforms (Full Lifecycle)
Prevalent
Questionnaires + risk rating + contract management
OneTrust VendorPedia
Enterprise TPRM with privacy and GRC integration
ProcessUnity
Workflow automation for large vendor portfolios
Document & Questionnaire Management
CAIQ (CSA)
Cloud vendor security questionnaire standard
SIG Questionnaire (Shared Assessments)
Industry standard security questionnaire
HECVAT
Healthcare-specific vendor assessment tool that is also used in higher education
For organizations < 200 vendors: Start with SecurityScorecard + SIG Questionnaire + a shared spreadsheet tracker. Add a platform when volume demands it.
KEY TAKEAWAYS
Action Items & Next Steps
62% of breaches involve a third party — TPRM is not optional for any serious security program – Target Breach was the HVAC vendor
Start with a vendor inventory — you can't manage risk you don't know exists
Tier vendors by risk — not all 500 vendors need the same scrutiny as your cloud provider
Annual assessments for Tier 1 vendors + continuous monitoring via SecurityScorecard/BitSight
A signed DPA and breach notification SLA must exist before any vendor touches your data
CISO Advisors · Ed Moore
emoore@cisoadvisors.org · cisoadvisors.com
CISO Advisors · cisoadvisors.com · Confidential
12 / 12