top of page
Search

Why auditing Third-Party Cybersecurity Risk Management Framework

  • Writer: Benoit Lescot
    Benoit Lescot
  • Apr 23
  • 5 min read

Comprehensive strategies to mitigate vendor-related cyber risks through robust governance, policies, and operational controls across the third-party lifecycle.




To audit Third-Party management, we will follow these steps:


ree

Why auditing Third-Party Management ?

Third-party cyberattacks—also known as supply chain attacks—have become one of the most dangerous threats for major companies. These attacks exploit vulnerabilities in a company’s partners, suppliers, service providers, or vendors, which often have weaker security postures or privileged access. Here are the main types of cyberattacks stemming from third parties.

  1. Software Supply Chain Attacks Attackers compromise legitimate software updates or development pipelines of trusted vendors to push malicious code. Examples:


    SolarWinds (2020): Attackers inserted malware into a legitimate update of the Orion platform, affecting thousands of organizations globally. 3CX (2023): A trusted VoIP provider’s software was compromised and used to push malware to client systems.

  2. Third-Party Data Breaches A vendor suffers a breach, exposing the sensitive data of its client companies.


    Example: MOVEit (2023): A zero-day vulnerability in the file transfer service MOVEit was exploited by Cl0p ransomware group, affecting governments, banks, and corporations via their file exchanges.

  3. Credential and Access Abuse Attackers gain access to company systems using stolen or weak credentials from third-party vendors with network access.


    Example: Target (2013): Attackers compromised HVAC vendor credentials to access Target’s internal network, leading to the theft of 40 million credit card records.


ree


ree

  1. Cloud and Managed Service Provider (MSP) Exploits MSPs or cloud services are attacked, giving threat actors indirect access to their clients' environments.

    Example: Kaseya (2021): The REvil group exploited a vulnerability in Kaseya’s VSA software used by MSPs, deploying ransomware to hundreds of downstream companies.

  2. Hardware and Firmware Backdoors Insertion of malicious components or firmware in hardware devices during manufacturing or distribution. Often alleged in state-sponsored operations (e.g., claims around motherboard manufacturers), though harder to prove.

  3. Phishing and Business Email Compromise (BEC) via Vendors Attackers impersonate or compromise a vendor’s email account to send phishing messages or fraudulent invoices.

    Example: A supplier’s compromised email sends fake invoice requests to the finance department of a major company.

  4. Open Source Dependency Poisoning Malicious code is inserted into widely-used open-source libraries, which are then pulled into corporate applications. Examples:

  • Log4Shell (2021): Vulnerability in Log4j, a ubiquitous Java logging library, impacted countless systems.

  • npm package attacks: Attackers upload malicious clones or updates to common Node.js packages.


How to audit Third-Party Management ?


1.1 Governance

A mature governance framework requires integrated policies covering the entire third-party relationship lifecycle. These foundational elements establish clear security expectations, classification criteria, and enforcement mechanisms to protect enterprise assets.



ree


1.2 Policy

Are the following subjects scoped in the Third-Party Management Policy ?


ree

1.3 KPIs/KRIs to follow and to leverage


Are the following KPIs and KRIs reviewed by the CIO, CISO and ExCom members in charge of the cybersecurity ?


  1. Sourcing & Selection

During the RFP, cybersecurity and compliance with privacy laws must be stipulated.

  1. Cybercriminal Acts and Financial Losses

    • Weak security integration in RFPs can expose the company to attacks via third-party solutions.

  2. Theft or Leakage of Information

    • If cybersecurity requirements are missing or delayed, sensitive data can be compromised during implementation or operations.

  3. Delays in Project Implementation

    • Cybersecurity validation after selection can slow down timelines when gaps are discovered late.

  4. Additional Costs to Cover Security Requirements

    • If IT security is not addressed early in the RFP, retrofitting security post-selection may incur unplanned costs.


During the sourcing stage, assessing the risk of the third-party matters:

ree

  1. Contract formalization


    Once the third-party is selected, contractual integration of security requirements will set clear expectations and legal leverage. These clauses transform security from advisory to mandatory and establish mechanisms for visibility and enforcement throughout the relationship.


ree

An exhaustive contract template is necessary:


ree

more details at the bottom of the page


There are significant risks (Shadow IT) with the emergence of SaaS to have IT purchased by business department without any involvement of legal or IT Security.


ree


  1. Onboarding


Access controls represent the first line of defense against third-party compromises. Implementation should follow least-privilege principles with complete documentation of approvals, regular reviews, and technical enforcement mechanisms.


A structured exception management process can transform security "bypasses" into visible, controlled, and time-limited risks. This process balances business needs with security requirements while maintaining executive visibility and accountability.



ree


Creating accountability structures transforms security from a one-time assessment into ongoing collaboration. This framework provides clarity on responsibilities and establishes regular touchpoints to address emerging risks before they become incidents.


ree


  1. Supplier Review Cadence


Regular structured reviews transform security from static requirements into dynamic oversight. This cycle ensures continuous validation of security controls, provides early warning of degradation, and maintains accountability throughout the relationship lifecycle.



ree


  1. Measure performance and monitor security posture


Effective monitoring combines automated tools, regular reporting, and technical validation to provide a comprehensive view of vendor security status and emerging risks.

Platforms like Cybervadis and UpGuard provide automated, continuous visibility into vendor security posture changes.


ree

Pros of a cybersecurity maturity platforms


It matters to have a tool for all the entities so that efforts are not duplicated.

ree

  1. Critical Points to Review Upon Third-Party Contract Termination


In the off-boarding process, a comprehensive checklist and appropriate controls should be formalized to:

- Terminate user access and connection of the third-parties. The risk is to keep an access open to a Third-Party, which might expose the company to data breaches or alterations after the end of the contract.

- Recover data once data are deleted by the third-parties. Based on the answers to our questionnaire, entities request certificates of data destruction from TP once the


ree

List of KPIs and contractual clauses to integrate in a contract with Third-Parties:

🔐 Security Operations & Monitoring

  • Number of security incidents by criticality over the past year

  • Rate of resolution of incidents by the Security Operation Center (SOC)

  • Rate of vulnerability resolution

  • Proportion of encrypted data

🛠 Vulnerability Management

  • Number and rate of vulnerability scans (application & infrastructure) over the last year

  • Number of uncorrected critical or major vulnerabilities (application & infrastructure)

  • Numberof critical or major unpatched vulnerabilities (by year and scope)

🧑‍💼 Access Management & Audit

  • Date of last review of administrative accounts

  • Number of people who left the project but retained access to the client's IS

  • Number of people who misused access and associated sanctions

  • Number of accesses per application required for assignment execution

  • MFA (Multi-Factor Authentication) implementation rate on workstations

💻 System & Infrastructure Controls

  • Operating systems and versions of workstations used

  • Rate of assets equipped with Endpoint Detection & Response (EDR)

  • List of stakeholders on the mission scope

🔄 Backup & Recovery

  • Date of last application restore test

  • Date of last database restore test

  • Date of last disaster recovery test on the backup environment

  • Date of last application recovery test and related tests (recovery, restore, DR)

📜 Compliance & Certifications

  • PCI-DSS Certificate of Compliance (annually provided)

  • Rate of subcontractors compliant with cybersecurity policies

  • Staff awareness of cybersecurity requirements

🧾 Documentation & Tracking

  • Date of last update to the project directory

  • For application development: number or frequency of code audits


 
 
 

1 Comment

meghamalikgirls
7 days ago

Turn every night into a wild celebration with Model Town Escorts 🎉💃 — your perfect party partner for unforgettable fun! 🥂Whether it's a private bash or club night, they know how to keep the vibe alive 🔥Charming, classy, and full of energy — they bring the spark to every scene ✨Get ready to party in style with unmatched elegance and thrill 😘🍾

Like
bottom of page