Third Party Due Diligence

When:Thu DS-3
OrganizersDidar Gelici Didar Gelici
ParticipantsDaniel Kefer Daniel Kefer , Didar Gelici Didar Gelici , Roger Comastorres Roger Comastorres , Tony Richards Tony Richards


Every company has their own third party due diligence methods. Mostly a mix of questionnaires, open source investigations, sometimes onsite assessments. This is not efficient in today’s world as poor vendors are forced to spend 100s of hours each year filling in questionniares with same or similar questions over and over again.


I believe we should have a restricted opensource platform where the members would agree on a framework and scoring system for third party due diigence from cyber perspective. (later may be expanded in other compliance areas too) This should perform the evaluation, follow-up assessments annually (or at major changes like M&As), tracking for resoltuions of the findings.. Things to consider: Are we assessing the corporate controls of the vendor or their solution’s security, or both? What framework or frameworks best suited for this? MITRE, NIST, ISO?? Scores on maturity, flags on category of information classification that is recommended to be shared with the vendor (i.e. do not share non-public information with this vendor until they remediate findigns A, B, C) Funding for the activites - should we form a consortium like what FS-ISAC does for threat intelligence? If the third party is critical outsourcing partner, would the standard evaluation be sufficient, or should there be additional things to consider.


Hard to tell, this session will be a good start on shaping the future of this activity.


In last ten years, every job I had included third party assurance work and I kept sending similar questionnaires to same vendors over and over. This needs to be improved and in this era of open sourcing everything, I believe we can do better if we came up with a shared model for third party due diligence.


Register as participant

To register as participant add Third Party Due Diligence to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all User Sessions