What metrics are most useful for measuring 3rd party risk?
Sort by:
Here are three quick things to check when evaluating third-party risk: verify the vendor's compliance certifications (e.g., SOC 2, ISO 27001), review their incident history for any past breaches or security issues, and assess their financial stability to ensure long-term viability.
I STRONGLY recommend reviewing the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-171 for valuable insights into third-party risk management. The NIST CSF provides a structured approach to managing risks, focusing on key areas like identification, protection, detection, response, and recovery. Meanwhile, SP 800-171 outlines specific security requirements for protecting controlled unclassified information in non-federal systems. Together, these resources offer essential guidance for effectively managing third-party partnerships. You can access them at [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) and [NIST SP 800-171](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final).
For us it is what data is available to them and what is their privacy policy as well as whether or not they have a SOC report that covers the services we are engaging with
Evidence of secure development practices and associated tools and policies.
Evidence of Vulnerability and Exposure management schedule both past and future.
Metrics surrounding MTTR (Mean TIme to Remediate) of high and critical severity vulnerabilites.
Evidence of continuing assessment and monitoring.
Access control approvals particularly access to production environments and internal network and applications.
Evidence of staff training and awareness.