Blog

Reduce unnecessary risk with third-party risk management controls

As more tasks are outsourced to third-party providers, risk management programs become critical to securing sensitive data

September 3, 2022

Third-party risk management (TPRM) is a necessary safeguard for any company that works with external entities, whether it’s a contractor, service provider, supplier, or partner. Third parties provide expertise in their given field, but they also increase the complexities and risks in your organization’s data security.

While TPRM is different for every organization, there are several best practices that help lay the foundation for a secure program.

In this article, we go over the two key steps in implementing reliable TPRM controls.

Step 1: Verify third party security efforts and compliance

Organizations of all industries and sizes rely on several vendors to perform their day-to-day activities. For example, Google Workspace provides standard email and documentation, Gusto is popular for payroll, and AWS offers a scalable cloud hosting experience.

A quick self-assessment can uncover all the vendors and third-party services being used throughout your organization. The following questions can guide your evaluation:

What is the product or service provided by the third party?
How critical is the process to your organization?
What information or data are you sharing with them?
What are they doing with your data?
What is their security posture?
Do they have SLAs?
What are the contract terms and required security certifications (i.e., SOC 2, ISO 27001)
Are their contractual terms aligned to what you expect for this type of service?
What is the perceived level of risk from each vendor?

Step 2: Monitor and assess vendors on an ongoing basis

Third-party risk assessments are necessary to protecting your company against breaches and other incidents. The method can be as simple as recording data in a spreadsheet or as comprehensive as implementing an assessment automation software.

When considering what factors are important for both you and your customers, here are some of the risk categories to keep in mind:

Information security: Assess controls related to the security, confidentiality, and availability of data shared with third parties

Do they have proof of security certification?
Do they conduct periodic assessments and ongoing monitoring?
What is their onboarding and offboarding process?
How do they priority security for their customers?
What is their process for dealing with incorrectly classified or unidentified customer data?

Monitoring gaps: Includes periodic assessments, ongoing monitoring, incident notification, onboarding and offboarding, and adherence to appropriate SLAs

What SLAs are included in their contract?
What is their reporting process regarding SLA compliance?
How will you monitor the third party to ensure they are providing the agreed-upon services?
What role does your procurement team play (if applicable)?
What role do other internal parties and stakeholders play (if applicable)?
What are the third party’s incident notification, response, and disclosure policies?

Business continuity: An increasingly important control, as third-party services and solutions are becoming more critical to your operations

How long has the company been around for?
What is included in their business continuity plan?

Regulatory requirements: Mandatory supervision of third-party suppliers for many regulatory requirements, especially for financial and healthcare services and other government organizations

What regulations impact their operations (i.e., GDPR, HIPAA, PIPEDA, PCI DSS)
What protocols do they have in place to meet these regulations?

Lack of due diligence: Involves the use of distributed IT environments, legacy suppliers, global suppliers with limited insight, the use of subcontractors by third parties (also known as fourth parties)

How credible are the individuals on their executive team?
How many customers do they have?
How satisfied and dissatisfied are their customers?

Ultimately, TPRM considerations and controls will depend on your industry and the type of services and data you choose to outsource. Based on these factors, as well as the questions outlined above, you can start building a strong program that mitigates third-party risks and secures all sensitive data.

Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.

Blog

Reduce unnecessary risk with third-party risk management controls

Step 1: Verify third party security efforts and compliance

Step 2: Monitor and assess vendors on an ongoing basis

You may also like

Third-Party Due Diligence

Understanding and implementing APRA's CPS 230 Standard

For financial institutions in Australia, the Australian Prudential Regulation Authority’s (APRA) CPS 230 standard is a clarion call to fortify cyber resilience.

February 05, 2025

Third-Party Risk

DORA Compliance Countdown: Are you ready?

Join us to learn more about the Digital Operational Resilience Act (DORA) and how OneTrust can help organizations research, implement, and monitor compliance at scale with DORA and other related regulations and standards like NIS2 and ISO.

January 16, 2025

Third-Party Risk

Are you ready for DORA compliance?

The Digital Operational Resilience Act (DORA) is the first regulation to oversee the security functions of financial entities across the European Union.

January 16, 2025

Third-Party Risk

Virtual Lunch and Learn: A deep dive into OneTrust's Third Party Management capabilities

Join us for a virtual Lunch & Learn session and explore how OneTrust’s Third Party Management solution can streamline your risk management processes.

December 17, 2024

Technology Risk & Compliance

The PDPL in Saudi Arabia is now in effect: is your business ready?

Join our Saudi Arabia PDPL webinar for an overview on the data protection law, its requirements, and how to prepare for full enforcement.

December 12, 2024

Third-Party Risk

Unpacking global regulatory frameworks to enhance third-party operational resilience

Register for this OneTrust webinar to learn about the relevant resilience focused requirements of DORA, NIS 2, and other global regulations.

December 11, 2024

OneTrust named a Leader in Operational Resilience Software 2024

Download this Verdantix report to learn the importance of operational resilience for your business and why OneTrust was named a leader in the space.

December 05, 2024

Technology Risk & Compliance

Understanding the NIS 2 Directive: Compliance insights and best practices

This DataGuidance webinar explores the latest and expected developments in the implementation of the NIS 2 Directive, focusing on practical compliance strategies to ensure your organization is prepared.

December 04, 2024

Third-Party Risk

Rise above risk: Third-party management in technology

November 21, 2024

Privacy Automation

Defining a new direction for data

As AI continues to offer unparalleled opportunities for business innovation, it also presents risks that organizations must tackle head-on through scalable governance programs that span multiple data sources. Six key trends are defining these challenges.

November 13, 2024

Third-Party Risk

Bill S-211: Will you be ready by May 31?

In this webinar, our experts will discuss the Canadian regulation and others like it globally, while providing actionable insights into building a robust and mature Third-party program.

November 07, 2024

Third-Party Risk

Tackling IT security risks for banks in South Africa

Join our OneTrust webinar on tackling IT security risks for banks in South Africa. Explore strategies for safeguarding sensitive data, ensuring POPIA compliance, and managing cyber threats. Gain actionable insights to strengthen your security posture and build customer trust.

October 31, 2024

Privacy Automation

Build resiliency and operationalize compliance with OneTrust: Fall product release recap, 2024

Join our upcoming product release webinar to explore how these new capabilities can help your organization navigate complex frameworks, streamline third-party management, and accelerate AI and data innovation.

October 22, 2024

Third-Party Risk

Live Demo EMEA: Building a robust third-party risk management program with OneTrust

Join to explore how OneTrust's TPRM solution can revolutionize your third-party risk management approach. We will cover best practices for implementing and leveraging the software to minimize risks.

October 10, 2024

Third-Party Risk

Simplifying vendor risk management

Streamline third-party relationships and avoid common mistakes in the process.

October 03, 2024

Third-Party Risk

Essential checklist for simplifying third-party risk management

Third-party management doesn’t have to be a complicated process for your business.

October 02, 2024

Third-Party Risk

Navigating risk in financial services with third-party management

Working with third parties introduces privacy and security risks, making compliance and business growth a balancing act.

October 01, 2024

Third-Party Risk

Manufacturing risk: Managing third parties in the supply chain

Third-party management keeps manufacturing operations running smoothly by verifying vendor and supplier compliance with regulations.

September 30, 2024

Third-Party Risk

The complete guide to third-party management

It’s imperative for security teams to implement a holistic approach to third-party management.

September 27, 2024

Third-Party Risk

APAC - Third-party risk management and due diligence: What’s the difference and why does it matter?