Our Sentinel service range is just what it says – we watch for risks your organisation faces. Assurance sentinel focuses on several areas – one of them on third parties.
Lots of people say this, but what does it mean for your organisation? Let’s start with the basics:
What is Assurance Sentinel?
You may need to do something to understand IT or security controls in your suppliers. Why? It’s most likely a regulatory requirement – for example through the Digital Operational Resilience Act or similar. Possibly you need to do something because a client is regulated (and needs you to comply with similar standards). Or perhaps you need to maintain an accreditation that requires this. The principle is fine, but how do you do this in an efficient way? And, perhaps equally important, what do you do with the information you get back?
Assurance Sentinel handles this for you. We:
- help you identify your supplier base and assess both the risk they pose to your security or compliance and the areas you need to get assurance over.
- Communicate your security requirements to these suppliers, to make sure they know what they need to do.
- Review supplier accreditations and certifications and map these to what you need. This will save time and effort all round.
- Contact your higher risk suppliers with a unique assessment to determine the controls they have in place.
- Issue a report of potential improvements to the supplier, and track improvements with them. Where it helps, we can share expertise, templates and methods to help drive compliance.
- Summarise our evaluations and present risks to you. We’ll then keep updating you on your suppliers progress to improve matters.
An example case study:
We worked with a small, regulated supplier with an international footprint.
Taking time to understand their business, we identified three third parties that really mattered to their security. After a little digging, we also found almost ten fourth-party suppliers that directly impacted their service. So, there were 10-15 suppliers that, if they suffered a breach, would have a significant impact on information and cyber security.
We also worked with the client to understand their requirements and risk. Information security was, for them, front and centre, and they had a well-defined information security policy. This made things easier, because we could quickly identify what security meant for them, and we prepared an Assurance Sentinel framework. These were the parameters we’d assess the supply chain partners against.
We researched the suppliers, contacted them through the client and identified the majority had relevant third-party assurance reports. In this case, most were either accredited to an established security framework or had a current SOC2 Type2 certification. This was great, as both the SOC2 reports, and security accreditations mapped straight through to the Assurance Sentinel Framework. We understand SOC2 and security assurance and mapped the reports to the Assurance Sentinel Framework easily.
This left a minority of suppliers with no accreditation and no SOC2 report. We approached them with a set questionnaire designed to collect the information we needed. We have automated this process, so it was relatively painless for all parties. A bonus for the supplier was they got the output audit report and action plan within hours of completing the assessment. So, they saw what their client saw, and were invited to outline how they would address the small number of gaps in their approach.
We summarised the results and issued summary and detailed reports to our client. They then integrated this with their risk approach. In the months since the initial work, we’ve helped the supplier address the gaps identified (when asked, of course!) and reported progress through to our client.
All told, the supplier met their obligations for third party assurance in an efficient way. The supplier improved their security and deepened their relationship with our client.
Conclusion
That’s one example of our Assurance Sentinel service. It’s young, but well received so far. If you have questions, please get in touch.