It's rare in 2014 for any business entity to conduct all of its operations using only its own resources and personnel. For many firms, it takes business partners, often called "third party" partners, to get things done. Whether it's a bank that uses vendor-managed cloud services to store and analyze its data, or a supermarket that hires an EPOS provider to process its credit card transactions, firms large and small rely on third party partners to manage tasks that frequently involve a high volume of sensitive information.The question of trust looms large in such arrangements, particularly since business are often liable for third party functions, even though they don't directly carry them out.
There's an emerging role for IT professionals who can evaluate and manage third party security concerns, and where there's an emerging job role, a certification will often materialize to help train potential workers to act in that capacity. Such will soon be the case with evaluation and management of third party risks. Earlier this week, Shared Assessments Program announced that it will begin delivering a Certified Third Party Risk Professional (CTPRP) credential in January. (Shared Assessments Program is operated by strategic consulting firm The Santa Fe Group, based in Santa Fe, N.M.)
If you want to get certified in third party risk management, then you've got some work to do. Certification prerequisites for the new credential include a minimum of five years of experience as a risk management professional. The work experience requirement can be trimmed to three years if you have an information security or information technology degree from an accredited university (one-year waiver) and hold an applicable IT certification (one-year waiver; examples given include CISA, CISSP, CIPP and CIPM). You must also attend a Shared Assessments workshop before attempting the exam. Recertification is required after three years unless the certification is kept current by meeting certain continuing education requirements and paying a fee.
Tom Garrubba, senior director of Shared Assessments Program, said in a prepared statement that companies need to pay more attention to third party relationships than ever before. “With so much at stake in the event of a data breach — lost revenue, significant brand damage, lawsuits, fines — companies need to take a closer look at their third party risk management practices,” Garrubba said. “Risk management professionals seeking certification through the Certified Third Party Risk Professional program is an indicator that organizations are taking proactive responsibilities to getting their third party risk programs in shape.”
The CTPRP will be available starting January. Two training workshops will be offered each quarter at locations across the United States.