Peer-Driven Insights

Third Party Risk Management (TPRM)

About this topic

Third Party Risk Management (TPRM) refers to the assessment and mitigation of risks associated with vendors and external partners. Effective TPRM protects organizations from external threats and ensures compliance.

Community Posts

My agency is looking for a system and operations center to prevent exfiltration of data. We have looked at Varonis and Blackfog. Any thoughts on these products or are there any suggestions of other products?

Single sign-on (SSO) increases the chance of a major network security breach.

Strongly agree6%

Agreee59%

Neutral20%

Disagree11%

Strongly disagree1%

View Results

Has anyone moved to a third party support for Hyperion (like Rimini Street)? If so, what pitfalls should we look out for and would you recommend it if we are 2-3 years from moving to a new solution?

Does your security awareness training address files shared over communications platforms like Microsoft Teams?

Yes81%

No17%

Other (comment below)1%

View Results

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?

Is there any guidance how to manage fourth-party n-th party cyber risk management. Can anyone share their experiences going beyond C-TPRM?

How are you assessing the security posture of third-party APIs the business relies on? What criteria do you use currently?

How are you thinking about vendor risk management when it comes to vendors leveraging generative AI? Do they require a different approach, or is your current vendor risk strategy adequate in these cases?

How does third-party risk complicate your operations?

If your org uses third-party IoT solutions, what criteria do you use to assess those vendors' security practices?

Are you reevaluating your software supply chain security strategy?

We have recently updated our strategy.22%

Yes44%

No, but I expect we will reevaluate our strategy.18%

No14%

Other (please share in the comments)

View Results

What improvements are you working on when it comes to software supply chain security?

What kind of roadblocks are you running into with SBOMs? Have you found ways to address those issues yet?

What are the main hurdles you face when verifying a CSP’s compliance and security measures after an update? How are you addressing these issues so far?

About this topic

Community Posts

My agency is looking for a system and operations center to prevent exfiltration of data. We have looked at Varonis and Blackfog. Any thoughts on these products or are there any suggestions of other products?

Single sign-on (SSO) increases the chance of a major network security breach.

Has anyone moved to a third party support for Hyperion (like Rimini Street)? If so, what pitfalls should we look out for and would you recommend it if we are 2-3 years from moving to a new solution?

Does your security awareness training address files shared over communications platforms like Microsoft Teams?

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.Has anyone implemented a "not relevant" risk tier in their model?This tier would apply to vendors posing genuinely negligible security risk.

When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?

Is there any guidance how to manage fourth-party n-th party cyber risk management. Can anyone share their experiences going beyond C-TPRM?

How are you assessing the security posture of third-party APIs the business relies on? What criteria do you use currently?

How are you thinking about vendor risk management when it comes to vendors leveraging generative AI? Do they require a different approach, or is your current vendor risk strategy adequate in these cases?

How does third-party risk complicate your operations?

If your org uses third-party IoT solutions, what criteria do you use to assess those vendors' security practices?

Are you reevaluating your software supply chain security strategy?

What improvements are you working on when it comes to software supply chain security?

What kind of roadblocks are you running into with SBOMs? Have you found ways to address those issues yet?

What are the main hurdles you face when verifying a CSP’s compliance and security measures after an update? How are you addressing these issues so far?

Community Posts

My agency is looking for a system and operations center to prevent exfiltration of data. We have looked at Varonis and Blackfog. Any thoughts on these products or are there any suggestions of other products?

Single sign-on (SSO) increases the chance of a major network security breach.

Has anyone moved to a third party support for Hyperion (like Rimini Street)? If so, what pitfalls should we look out for and would you recommend it if we are 2-3 years from moving to a new solution?

Does your security awareness training address files shared over communications platforms like Microsoft Teams?

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.Has anyone implemented a "not relevant" risk tier in their model?This tier would apply to vendors posing genuinely negligible security risk.

When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?

Is there any guidance how to manage fourth-party n-th party cyber risk management. Can anyone share their experiences going beyond C-TPRM?

How are you assessing the security posture of third-party APIs the business relies on? What criteria do you use currently?

How are you thinking about vendor risk management when it comes to vendors leveraging generative AI? Do they require a different approach, or is your current vendor risk strategy adequate in these cases?

How does third-party risk complicate your operations?

If your org uses third-party IoT solutions, what criteria do you use to assess those vendors' security practices?

Are you reevaluating your software supply chain security strategy?

What improvements are you working on when it comes to software supply chain security?

What kind of roadblocks are you running into with SBOMs? Have you found ways to address those issues yet?

What are the main hurdles you face when verifying a CSP’s compliance and security measures after an update? How are you addressing these issues so far?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.