- Establish a diverse Third-Party Risk Management (TPRM) governance committee and program. Each function represented should identify ongoing critical third parties and supply chains for their respective areas.
- Evaluate strategic and technical risks.
- Develop plans to sustain business operations for at least 30 days if critical services and supplies are lost. Document, test, and update these plans annually.
- Establish a comprehensive data backup plan that includes offline backups and incorporates incident response and continuity of operations plans in emergency operation planning.
- Increase employee awareness education and reporting to reduce the risk of compromise from cyber threats.
- Consider reducing the attack surface by eliminating external-facing systems and limiting unnecessary systems.
