Skip to main content

3.10A Third Party Risks

3.10A Third Party Risks


Risk practitioners should evaluate and determine the risk related to outsourcing of business processes. He should ensure that ownership of the data and processes remains with the organization. Risk practitioners should ensure that third party service providers have appropriate controls to address the security requirements as well as regulatory requirements. Risk practitioners should also ensure that security requirements of the organization are addressed in the outsourcing contract to make the service provider bound to comply with specific security requirements. Service level agreement should include declaring the jurisdiction of the agreement and which courts would hear any dispute related to the terms and conditions of the contract.


Right to Audit Clause



Periodic audit is the most effective method to ensure that service provider is complying with the security requirements of the service receiver. Service level agreement should include clauses with respect to the right to audit the system and processes of the service provider. The service provider may not allow the service receiver to audit them directly. In such cases, there should be a provision to assess compliance by an independent auditor. If such provision is not included in the agreement, then the service receiver has no way to ensure compliance or proper handling of their data.


Sub - contracting / Fourth Party



Service level agreement should specifically restrict the sub - contracting to a fourth party. In case it is allowed considering the business requirement, risk practitioners should consider the risk of subcontracting. In the case of subcontracting service receivers generally do not have control of the fourth party. The subcontracting process has to be thoroughly reviewed when the process involves sharing critical data.



Impact of Privacy Laws on Outsourcing


Risk practitioners should also ensure that laws and regulations are adhered to while outsourcing a process. For example, privacy law may prevent storage of personal data at offshore locations.


Compliance Responsibility



Service receiver retains the responsibility for ensuring compliance with regulatory requirements. Service receiver is the deemed to be owner of the data and responsible for the safe custody of the data. If the service provider fails to safeguard the data, authority will generally hold the organization responsible for non-compliance and take appropriate action including penalties.


Key aspects from CRISC exam perspective



CRISC Question

Possible Answer

What is the most important consideration for a risk practitioner while reviewing a outsourcing control?   


Whether security requirements are addressed in the contract

What is the most important consideration for storage of private data at an offshore location?   


Privacy laws may prevent a cross-border flow of information.

Who will be responsible for regulatory non- compliance? Service receiver or service provider


Organization who outsources the work (i.e. service receiver)


Best method to protect the confidentiality of data being transmitted over a network   


  • Encapsulating the data packets

  • Encryption

Best security measure when a third party is engaged in application development   

To conduct a security code review for the entire application to detect all the malware including back doors.


Flashcards - 3.10A Third Party Risks


Practice Questions - 3.10A Third Party Risks



Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more