Tag Archives: tprm

NPRM

Back in January I wrote a post entitled “TPRM,” and I want to expand upon that post.

But first I want to talk about [REDACTED].

Because people who have been around for a while have heard the phrase that if you’ve ever had [REDACTED] with someone, you’ve had [REDACTED] with everyone they’ve ever had [REDACTED] with. At least in terms of [REDACTED] transmitted diseases. Lloyds Pharmacy Online even developed a “[REDACTED] degrees of separation” calculator to quantify that exposure.

Beyond third-party risk

But enough about [REDACTED]. Your company’s data and information are subject to similar threats.

I mean, it’s all well and great for you to adopt a third-party risk management system to make sure that your vendors and suppliers aren’t letting bad things happen to your data and information.

But guess what? All those third parties have third parties of their own.

Risk and Compliance Magazine explains:

A fourth party is an independent entity that provides services to you on behalf of your third-party service provider – also known as your third party’s third party. A fourth party is also known as a subcontractor or sub-outsourcer. Fourth parties have not signed an agreement with your organisation, so they do not have a legally binding obligation to your business. Your third party itself may subcontract all or some obligations of their agreement to you to another service provider.

An example

Let me delve into an example that I touched upon in my January post.

  • Let’s say that you did business with Bank of America.
  • You checked out Bank of America’s systems as part of your due diligence.
  • Perhaps you determined that everything was right and fine with the bank.
  • But it was NOT right and fine with one of Bank of America’s software providers, which is a FOURTH party to you.
  • So there’s this other system that you never contracted with.
  • But perhaps you’re one of the unlucky 414-plus Bank of America customers whose data was exposed because of this fourth party.

And the fourth parties have fifth parties, the fifth parties have sixth parties, and so fourth. I mean forth.

Making an impact

Luckily there are companies that provide aids not only to address third-party risk, but also nth-party risk when data is transmitted all over the place.

Hence my acronym NPRM, Nth-party risk management.

Which really stands for “notice of proposed rulemaking,” but what the hey.

Anyway, these companies and many other technology companies are making an impact.

But does anyone know what these companies are doing?

Perhaps Bredemarket can help your company make an impact with my content, proposal, and analysis services. If so, let me know.

(The image was created by Imagen 3.)

TPRM

(Imagen 3)

A little (just a little) behind the scenes of why I write what I write.

What does TPRM mean?

I was prompted to write my WYSASOA post when I encountered a bunch of pages on a website that referred to TPRM, with no explanation.

Now if I had gone to the home page of that website, I would have seen text that said “Third Party Risk Management (TPRM).”

But I didn’t go to the home page. I entered the website via another page and therefore never saw the home page explanation of what the company meant by the acronym.

They meant Third Party Risk Management.

Unless you absolutely know that everybody in the world agrees on your acronym definition, always spell out the first instance of an acronym on a piece of content. So if you mention that acronym on 10 web pages, spell it out on all 10 of them.

That’s all I wanted to say…

How is NIST related to TPRM?

…I lied.

Because now I assume you want to know what Third Party Risk Management (TPRM) actually is.

Let’s go to my esteemed friends at the National Institute of Standards & Technology, or NIST.

What is TPRM?

But TPRM is implied in a NIST document entitled (PDF) Best Practices in Cyber Supply Chain Risk Management. Because there are a lot of “third parties” in the supply chain.

When companies began extensively outsourcing and globalizing the supply chain in the 1980’s and 1990’s, they did so without understanding the risks suppliers posed. Lack of supplier attention to quality management could compromise the brand. Lack of physical or cybersecurity at supplier sites could result in a breach of corporate data systems or product corruption. Over time, companies have begun implementing vendor management systems – ranging from basic, paper-based approaches to highly sophisticated software solutions and physical audits – to assess and mitigate vendor risks to the supply chain.

Because if MegaCorp is sharing data with WidgetCorp, and WidgetCorp is breached, MegaCorp is screwed. So MegaCorp has to reduce the risk that it’s dealing with breachable firms.

The TPRM problem

And it’s not just my fictional MegaCorp. Cybersecurity risks are obviously a problem. I only had to go back to January 26 to find a recent example.

Bank of America has confirmed a data breach involving a third-party software provider that led to the exposure of sensitive customer data.

What Happened: According to a filing earlier this month, an unidentified third-party software provider discovered unauthorized access to its systems in October. The breach did not directly impact Bank of America’s systems, but the data of at least 414 customers is now at risk.

The breach pertains to mortgage loans and the compromised data includes customers’ names, social security numbers, addresses, phone numbers, passport numbers, and loan numbers.

Note that the problem didn’t occur at Bank of America’s systems, but at the systems of some other company.

Manage your TPRM…now that you know what I mean by the acronym.