It would be good if you can add a review button like the assets to third parties.
This would allow the 3rd party sponsors to confirm if the 3rd party is still current or if they have gone on an annual basis.
we cant understand the feature, can you please clarify a little bit? 
sure, so in Assets you can have a Review Date for the Asset Owner to review the asset by setting a Notification. It would be helpful to have a Review Date for a Third Party so that the Sponsor can verify/review that the information about the Third Party is still accurate.
1 Like
This should be standard practice for Due Diligence with your third parties. If they are a supplier, then you are probably giving them some data or they are giving you some service that could impact the security of your information systems. Companies typically do recurring reviews in this instance (usually every year) to ensure that the security posture has not changed, there were no major system upgrades or changes with the vendor, etc. We are consistently asked by our clients if we do recurring reviews on our vendors. Having a review data (with the associated email reminder using Cron) would be very helpful.
Hi, I know this topic is old but thought the response would be more appropriate here instead of adding a new topic.
I second the inclusion of Third Party Reviews (just as Eramba has it for Assets) and would basically go as far that it is also highly desirable to link Assets to Third Parties as a standard feature. The rationale being that Assets like SaaS/PaaS/IaaS are inherently linked to a vendor supplying that asset. And such vendor should be evaluated periodically as scot_dewerth rightly points out. In that sense, the vendor is in my opinion also the appropriate “level” where such evaluations should be conducted given that:
- You can have a one to many relation (one vendor supplies multiple assets, think any of the big names);
- Often these reviews involve reading through Third Party Attestation reports (SOC1/2, ISAE3402/3000, ISO certifications and SOA). Many of the controls are applicable to the organizational level of the vendor which means that control objectives not being met can impact a host of assets and should then become a Third Party Vendor risk which ideally should be “seen” at the asset level too.
The questionnaire functionality is useful but in my opinion shines for checking security requirements of products during acquisition of vendors (ie: asking the vendor if their product supports multi-factor authentication and can federate users via LDAP), or as a last resort if the vendor does not have a properly audited control system so that they can explain themselves in detail. I’m not going to send questionnaires to Google or AWS on a yearly basis for example, and I don’t need to as their assurance reports contain all information I need.
The workarounds would be to create a default risk for all Third Parties that their operation is not evaluated. Or do it at the Asset level. But this seems cumbersome to me.
assets and third parties are linked through risks, when you review a risk you review all contextual information about that risk, including what assets and third parties it has associated.
you can run a OA (online assessment) against them, record their feedback as risks if applicable. the risk has reviews, as frequent as needed. if you want to test them against a set of questions and from their feedback their maturity, that can be done on OAs with custom fields. is part of the customization phase of hte OA use case:
you can use dynamic status to trigger labels, charts, etc…sample below.
that is the job of a OA in eramba.
note: in general vendor assessments are being replaced by third party accreditation (iso, soc2, pci, etc). saas vendors dont have time for customers pre-sales and customers of saas vendors dont have time or skills to review vendors. third party accreditations are a win win for everyone.
haha…i will like to see their response to your email 
assets and third parties are linked through risks, when you review a risk you review all contextual information about that risk, including what assets and third parties it has associated.
Yes I;m aware that they are linked through risks. But that is exactly my point: the relationship between a Third Party as a supplier and the asset they supply exists without the context of risk (or the better term to use is “threat” because a risk is only a risk when it is not under control). Amazon will still supply AWS, even though there are no risks. Atlassian will still supply Jira, even though there are no risks.
you can run a OA (online assessment) against them, record their feedback as risks if applicable. the risk has reviews, as frequent as needed. if you want to test them against a set of questions and from their feedback their maturity, that can be done on OAs with custom fields. is part of the customization phase of hte OA use case:
The kind of review you are describing is for me a review which takes place in the acquisition phase of selecting a supplier. They are evaluation criteria that you use to establish if the supplier is a fit with the organization and what kind of up-front risk you might expect to manage.
OA doesn’t seem so useful for me in the context of Third Party Accreditation using SOC2, PCI, ISO reports/certificates. It is exactly why I think it would be a good feature to allow Third Parties to be reviewed without the context of risk, just as you are able to review an Asset without the need to define risk.
Note that vendors are often also reviewed outside of the information security/privacy context. You want to perform commercial reviews, evaluate fit for purpose, etc on a regular basis too. The security/privacy context is then only a part of a larger evaluation (and whatever findings come out of the security/privacy context is sure food for discussion with such vendor).