As security-aware organizations, we invest a considerable amount of time, resources and money in protecting ourselves from external, malicious threat actors. There are many ways in which a threat can undermine these investments, and it is a method that is becoming increasingly common and effective: exploiting third parties.

As an organization that is undoubtedly part of a wider supply-chain and network of partners and subsidiaries, you are only as strong as the weakest link in that chain—especially if network access and sharing of information is commonplace.

Third-Party Assurance is SubRosa’s services-based offering and is compiled of the assessment, management and safeguarding of your organization’s third parties. Typically, such organization’s include suppliers, partners, acquisitions and clients.

Third-Party Due Diligence

Service Overview

  • Designed for pre-engagement organizations, including mergers, acquisitions and new vendors

  • Assess the full security and risk program of the organization

  • Incur little-to-no cost of assessing new mergers (and in some cases new vendors)

Expected Results

  • Better understand the risk and security posture of a new acquisition and vendor

  • Potential grounds for leverage in the negotiation of acquiring a new partner, vendor or merger

Vendor Risk Management

Service Overview

  • Suitable for existing suppliers

  • Assesses the security risk of the whole supply-chain

  • Profiles, organizes and categorizes suppliers based on their risk to your organization

Expected Results

  • Align your suppliers with your organization’s security posture and mission

  • Improved overall enterprise risk management

Client Assurance

Service Overview

  • Respond to your client security Requests for Information (RFI)

  • Leverage SubRosa’s security expertise to provide deep, technical responses when needed

  • Engage SubRosa in client meetings to provide in-person expertise

Expected Results

  • Improve the timeliness and accuracy of your client responses

  • Become more competitive during your client’s acquisition and continuous monitoring of their suppliers

Service Models


  • Leverage SubRosa’s full domain expertise to assess your third-party information security risk

  • All activities covered under a monthly retainer fee

  • Program is designed, run and executed by SubRosa

  • SLAs on all assessments and reporting

  • One-week notice to travel onsite

  • Remote, and physical onsite assessments included

  • Included governance, risk and compliance software support

  • Option for client-owned, custom framework production


  • Leverage SubRosa’s domain expertise when needed

  • Assessment and reporting on an as-needed basis, per client requests

  • No upfront or retainer costs

  • No service level agreements (SLAs) on assessments and reporting

  • Optional governance, risk and compliance software support

  • Four weeks’ notice to travel onsite

  • All frameworks, tools and methods remain the property of SubRosa

Ready to speak to a consultant about our services?