Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II
‎01-11-2019 04:00 AM
‎01-11-2019 04:00 AM

TPRM fiasco

Good day all!!

 

Consider the situation - a third party that has been providing services for many years has revealed (during a review) that they do not provide encryption services (as per the customer requirements) as it's not viable for them financially. At the onset  of the business relationship this was not the practice and it was ignored for some years and over time due to some regulations it has come up with high priority.

 

Third party service provider not ready to provide the required service

Moving to another service provider will incur huge cost  to the org

Encryption service is necessary for the compliance otherwise a huge fines and great danger to the business

 

what is the best course of action?

 

Chandra Mouli, CISSP, CCSP, CSSLP
Reply
0 Kudos
1 Reply
CISOScott
Community Champion
‎01-11-2019 10:58 AM
‎01-11-2019 10:58 AM

@iluom wrote:

Good day all!!

 

Consider the situation - a third party that has been providing services for many years has revealed (during a review) that they do not provide encryption services (as per the customer requirements) as it's not viable for them financially. At the onset  of the business relationship this was not the practice and it was ignored for some years and over time due to some regulations it has come up with high priority.

 

Third party service provider not ready to provide the required service

Moving to another service provider will incur huge cost  to the org

Encryption service is necessary for the compliance otherwise a huge fines and great danger to the business

 

what is the best course of action?

 

Document each course of action. Then do simple math to attempt to figure out best course of action.

Option 1) Do nothing. Yes this is always an option that most people forget about. Risk = Huge fines, breach of data, damage to corporate reputation, etc.

Option 2) Fire the current 3rd party and replace with new. Document the replacement cost vs current cost + fines

Option 3) Pay current vendor to remedy situation. Figure out cost to "upgrade" the service. Compare against costs of option #1.

Option 4) Can the service be brought in house? Figure out the costs and compare against all other options.

Reply