Many businesses increase their dependency on outsourcers, third party technology products and services, electronic commerce, contractors, third party service providers and partners to gain a competitive advantage in the marketplace. This increase in reliance of the business with various third party entities or providers results in an increased risk to their information assets. The information assets at risk may include valuable electronic data such as intellectual property and customer data. These information assets are exchanged between the business and their third party entities and may be at risk of theft or tampering. The need to proactively manage this electronic or “eBusiness” risk associated with these relationships is being driven by State and Federal regulations, industry standards and customer pressures. Investors, regulators, and customers must have assurance that the businesses understand and manage the risk associated with housing and exchanging critical information assets.
Through business transformation, businesses have been migrating to outsourced services, leveraging third party products and services or relying on business partners to reduce costs. The migration away from in-house solutions to external solutions has intensified the need for stringent security controls on both sides of an information exchange. The requirement to actively manage information technology (IT) information risk is growing rapidly in scope and is extending beyond the business itself to include risks related to third party entities providing a service, product, or other solution to the business. Based on the steady growth of complex business relationships where digital information assets are exchanged between businesses, gaining visibility into risks associated with trusted third parties is becoming imperative. Business need a scalable method to assess the cost and efficiency associated with a particular action or plan to reduce or eliminate risk associated with their information assets as it pertains to a particular third party or a plurality of third parties. Furthermore, businesses require an acceptable and defendable method for quantifying the value of their information assets and the risk of exposing these assets in a particular business relationship or across all of their relationships based on either internal or current commercial solutions in the marketplace.
Increased public demand for businesses to take responsibility for protecting consumer data from unauthorized access has resulted in a corresponding increase in the number of regulatory requirements placed on them. Businesses are required to assess IT risk for their organization and their third party service providers to gauge the level of compliance to these regulations. These assessments must be conducted on a regular basis. There are well known methods in the art to assess IT risk. These methods include providing a risk report and an associated risk score. Each risk report focuses on the risk categories relative to a specific business or application being assessed without the benefit of placing the results in context. Individual IT risk assessments are expensive and time consuming. They are not standardized in a manner to allow comparative analysis or contextual alignment within particular business sectors. Businesses need a simple, sound method to use for deciding whether or not the IT risk posed by internal procedures or by its third party service providers is within its level of risk tolerance analogous to the way financial institutions rely on consumer credit scores to determine whether to fund loans or issue insurance policies.
This, combined with the multitude of regulations and requirements, is placing an increased burden on businesses and their many third party providers regarding risk assessment, auditing and compliance management. It is apparent that both businesses and their third party providers will incur greater costs as a result of this increased scrutiny on IT security controls. Considering that each business may have many third party relationships, the assessment process adds additional requirements for manpower and financial resources to track, collect and verify the outsourced third party's IT security. These businesses are limited in their ability to effectively monitor and manage new and existing relationships. Additionally, businesses may have a limited understanding of regulatory and/or contractual obligations governing information assets. There are a variety of well known methods for assessing eBusiness risk in the art. However, current methods of assessing eBusiness risk associated with a risk score are vague, non-actionable and do not accurately quantify the IT information risk of a business relationship. Current methods do not appear to offer visibility or alternatively, offer a very limited view into the risks associated with these business relationships, thereby providing ineffective or incomplete solutions for managing the risk exposure. Businesses do not have a scalable, cost efficient, and secure method for meeting the compliance requirements associated with contracts and regulations governing their management of information assets risk. Additionally, IT auditors do not have a quantifiable method for reporting results associated with the audit of controls surrounding information assets. Further, the methods known for assessing eBusiness risk do not appear to provide insurance companies a method for quantifying information asset risk for purposes of underwriting.
Thus, there is a need in the art for an improved method and system for assessing risk exposure for a business exchanging information assets with a plurality of third parties associated with the business.