Why auditing Third-Party Cybersecurity Risk Management Framework

Benoit Lescot
Apr 23
5 min read

Comprehensive strategies to mitigate vendor-related cyber risks through robust governance, policies, and operational controls across the third-party lifecycle.

To audit Third-Party management, we will follow these steps:

Why auditing Third-Party Management ?

Third-party cyberattacks—also known as supply chain attacks—have become one of the most dangerous threats for major companies. These attacks exploit vulnerabilities in a company’s partners, suppliers, service providers, or vendors, which often have weaker security postures or privileged access. Here are the main types of cyberattacks stemming from third parties.

Software Supply Chain Attacks Attackers compromise legitimate software updates or development pipelines of trusted vendors to push malicious code. Examples:

SolarWinds (2020): Attackers inserted malware into a legitimate update of the Orion platform, affecting thousands of organizations globally. 3CX (2023): A trusted VoIP provider’s software was compromised and used to push malware to client systems.
Third-Party Data Breaches A vendor suffers a breach, exposing the sensitive data of its client companies.

Example: MOVEit (2023): A zero-day vulnerability in the file transfer service MOVEit was exploited by Cl0p ransomware group, affecting governments, banks, and corporations via their file exchanges.
Credential and Access Abuse Attackers gain access to company systems using stolen or weak credentials from third-party vendors with network access.

Example: Target (2013): Attackers compromised HVAC vendor credentials to access Target’s internal network, leading to the theft of 40 million credit card records.

Cloud and Managed Service Provider (MSP) Exploits MSPs or cloud services are attacked, giving threat actors indirect access to their clients' environments.
Example: Kaseya (2021): The REvil group exploited a vulnerability in Kaseya’s VSA software used by MSPs, deploying ransomware to hundreds of downstream companies.
Hardware and Firmware Backdoors Insertion of malicious components or firmware in hardware devices during manufacturing or distribution. Often alleged in state-sponsored operations (e.g., claims around motherboard manufacturers), though harder to prove.
Phishing and Business Email Compromise (BEC) via Vendors Attackers impersonate or compromise a vendor’s email account to send phishing messages or fraudulent invoices.
Example: A supplier’s compromised email sends fake invoice requests to the finance department of a major company.
Open Source Dependency Poisoning Malicious code is inserted into widely-used open-source libraries, which are then pulled into corporate applications. Examples:

Log4Shell (2021): Vulnerability in Log4j, a ubiquitous Java logging library, impacted countless systems.
npm package attacks: Attackers upload malicious clones or updates to common Node.js packages.

How to audit Third-Party Management ?

1.1 Governance

A mature governance framework requires integrated policies covering the entire third-party relationship lifecycle. These foundational elements establish clear security expectations, classification criteria, and enforcement mechanisms to protect enterprise assets.

1.2 Policy

Are the following subjects scoped in the Third-Party Management Policy ?

1.3 KPIs/KRIs to follow and to leverage

Are the following KPIs and KRIs reviewed by the CIO, CISO and ExCom members in charge of the cybersecurity ?

Sourcing & Selection

During the RFP, cybersecurity and compliance with privacy laws must be stipulated.

Cybercriminal Acts and Financial Losses
- Weak security integration in RFPs can expose the company to attacks via third-party solutions.
Theft or Leakage of Information
- If cybersecurity requirements are missing or delayed, sensitive data can be compromised during implementation or operations.
Delays in Project Implementation
- Cybersecurity validation after selection can slow down timelines when gaps are discovered late.
Additional Costs to Cover Security Requirements
- If IT security is not addressed early in the RFP, retrofitting security post-selection may incur unplanned costs.

During the sourcing stage, assessing the risk of the third-party matters:

Contract formalization

Once the third-party is selected, contractual integration of security requirements will set clear expectations and legal leverage. These clauses transform security from advisory to mandatory and establish mechanisms for visibility and enforcement throughout the relationship.

An exhaustive contract template is necessary:

more details at the bottom of the page

There are significant risks (Shadow IT) with the emergence of SaaS to have IT purchased by business department without any involvement of legal or IT Security.

Onboarding

Access controls represent the first line of defense against third-party compromises. Implementation should follow least-privilege principles with complete documentation of approvals, regular reviews, and technical enforcement mechanisms.

A structured exception management process can transform security "bypasses" into visible, controlled, and time-limited risks. This process balances business needs with security requirements while maintaining executive visibility and accountability.

Creating accountability structures transforms security from a one-time assessment into ongoing collaboration. This framework provides clarity on responsibilities and establishes regular touchpoints to address emerging risks before they become incidents.

Supplier Review Cadence

Regular structured reviews transform security from static requirements into dynamic oversight. This cycle ensures continuous validation of security controls, provides early warning of degradation, and maintains accountability throughout the relationship lifecycle.

Measure performance and monitor security posture

Effective monitoring combines automated tools, regular reporting, and technical validation to provide a comprehensive view of vendor security status and emerging risks.

Platforms like Cybervadis and UpGuard provide automated, continuous visibility into vendor security posture changes.

Pros of a cybersecurity maturity platforms

It matters to have a tool for all the entities so that efforts are not duplicated.

Critical Points to Review Upon Third-Party Contract Termination

In the off-boarding process, a comprehensive checklist and appropriate controls should be formalized to:

- Terminate user access and connection of the third-parties. The risk is to keep an access open to a Third-Party, which might expose the company to data breaches or alterations after the end of the contract.

- Recover data once data are deleted by the third-parties. Based on the answers to our questionnaire, entities request certificates of data destruction from TP once the

List of KPIs and contractual clauses to integrate in a contract with Third-Parties:

🔐 Security Operations & Monitoring

Number of security incidents by criticality over the past year
Rate of resolution of incidents by the Security Operation Center (SOC)
Rate of vulnerability resolution
Proportion of encrypted data

🛠 Vulnerability Management

Number and rate of vulnerability scans (application & infrastructure) over the last year
Number of uncorrected critical or major vulnerabilities (application & infrastructure)
Numberof critical or major unpatched vulnerabilities (by year and scope)

🧑‍💼 Access Management & Audit

Date of last review of administrative accounts
Number of people who left the project but retained access to the client's IS
Number of people who misused access and associated sanctions
Number of accesses per application required for assignment execution
MFA (Multi-Factor Authentication) implementation rate on workstations

💻 System & Infrastructure Controls

Operating systems and versions of workstations used
Rate of assets equipped with Endpoint Detection & Response (EDR)
List of stakeholders on the mission scope

🔄 Backup & Recovery

Date of last application restore test
Date of last database restore test
Date of last disaster recovery test on the backup environment
Date of last application recovery test and related tests (recovery, restore, DR)

📜 Compliance & Certifications

PCI-DSS Certificate of Compliance (annually provided)
Rate of subcontractors compliant with cybersecurity policies
Staff awareness of cybersecurity requirements

🧾 Documentation & Tracking

Date of last update to the project directory
For application development: number or frequency of code audits

12 Comments

Dr. Atul Mishra

4 days ago

Best Knee Replacement Surgeon in Delhi NCR

Dr. Atul Mishra is one of the best Knee replacement surgeon in Delhi NCR, India done hundreds of cases of Minimally Invasive Knee Replacement Surgery using Computer Navigation Technology so far. He knows the track record of the technology of Knee replacement surgery in Orthopedic Department.

Persistent knee pain can hamper your daily activities but a successful knee surgery from the best knee replacement surgeon in Delhi NCR can help you get back on your normal routine

jointview clinic

5 days ago

Top Total Knee Replacement Surgeon in Delhi NCR – Dr. Harvind Tandon

Looking for the best Total Knee Replacement Surgeon in Delhi NCR? Dr. Harvind Tandon offers advanced, minimally invasive knee replacement surgeries with faster recovery and lasting results.

Dr. Nityanand Tripathi

coronary artery disease treatment in shalimar bagh

If you're seeking expert coronary artery disease treatment in Shalimar Bagh, trust the hands of experience and excellence. Dr. Nityaanand Tripathi, a renowned cardiologist at Fortis Hospital Shalimar Bagh, specializes in diagnosing and treating coronary artery disease with precision and care. From advanced diagnostics to personalized treatment plans, Dr. Tripathi ensures comprehensive cardiac care tailored to your needs.

Don’t ignore the signs—choose the most trusted name for coronary artery disease treatment in Shalimar Bagh and take a step toward a healthier heart today.

Valentis cyberknife centre

CYBERKNIFE CENTRE in Meerut – Advanced Cancer Care at Valentis Cancer HospitalLooking for the best CYBERKNIFE CENTRE in Meerut? Valentis Cancer Hospital offers state-of-the-art CyberKnife S7 technology, providing non-invasive, high-precision radiation therapy for tumors and cancerous growths. This advanced robotic radiosurgery system targets tumors with sub-millimeter accuracy, minimizing damage to healthy tissues and ensuring faster recovery.

At Valentis Cancer Hospital, our expert oncologists specialize in treating brain tumors, spine tumors, prostate cancer, lung cancer, and other complex cases using CyberKnife. With pain-free, incision-free treatment, patients experience shorter sessions and faster recovery times compared to traditional methods.

For world-class CyberKnife treatment in Meerut, book a consultation today at Valentis Cancer Hospital and receive expert cancer care with cutting-edge technology.

New delhi Spine

6 days ago

Minimally Invasive Spine Surgery in Delhi – Advanced & Safe TreatmentLooking for minimally invasive spine surgery in Delhi? Get expert care from top spine specialists, including Dr. V. Anand Naik, a leading spine surgeon specializing in advanced surgical techniques for spinal disorders like herniated discs, spinal stenosis, sciatica, and degenerative spine diseases.