Third-party risk management (TPRM) is a necessary safeguard for any company that works with external entities, whether it’s a contractor, service provider, supplier, or partner. Third parties provide expertise in their given field, but they also increase the complexities and risks in your organization’s data security.
While TPRM is different for every organization, there are several best practices that help lay the foundation for a secure program.
In this article, we go over the two key steps in implementing reliable TPRM controls.
Step 1: Verify third party security efforts and compliance
Organizations of all industries and sizes rely on several vendors to perform their day-to-day activities. For example, Google Workspace provides standard email and documentation, Gusto is popular for payroll, and AWS offers a scalable cloud hosting experience.
A quick self-assessment can uncover all the vendors and third-party services being used throughout your organization. The following questions can guide your evaluation:
- What is the product or service provided by the third party?
- How critical is the process to your organization?
- What information or data are you sharing with them?
- What are they doing with your data?
- What is their security posture?
- Do they have SLAs?
- What are the contract terms and required security certifications (i.e., SOC 2, ISO 27001)
- Are their contractual terms aligned to what you expect for this type of service?
- What is the perceived level of risk from each vendor?
Step 2: Monitor and assess vendors on an ongoing basis
Third-party risk assessments are necessary to protecting your company against breaches and other incidents. The method can be as simple as recording data in a spreadsheet or as comprehensive as implementing an assessment automation software.
When considering what factors are important for both you and your customers, here are some of the risk categories to keep in mind:
Information security: Assess controls related to the security, confidentiality, and availability of data shared with third parties
- Do they have proof of security certification?
- Do they conduct periodic assessments and ongoing monitoring?
- What is their onboarding and offboarding process?
- How do they priority security for their customers?
- What is their process for dealing with incorrectly classified or unidentified customer data?
Monitoring gaps: Includes periodic assessments, ongoing monitoring, incident notification, onboarding and offboarding, and adherence to appropriate SLAs
- What SLAs are included in their contract?
- What is their reporting process regarding SLA compliance?
- How will you monitor the third party to ensure they are providing the agreed-upon services?
- What role does your procurement team play (if applicable)?
- What role do other internal parties and stakeholders play (if applicable)?
- What are the third party’s incident notification, response, and disclosure policies?
Business continuity: An increasingly important control, as third-party services and solutions are becoming more critical to your operations
- How long has the company been around for?
- What is included in their business continuity plan?
Regulatory requirements: Mandatory supervision of third-party suppliers for many regulatory requirements, especially for financial and healthcare services and other government organizations
- What regulations impact their operations (i.e., GDPR, HIPAA, PIPEDA, PCI DSS)
- What protocols do they have in place to meet these regulations?
Lack of due diligence: Involves the use of distributed IT environments, legacy suppliers, global suppliers with limited insight, the use of subcontractors by third parties (also known as fourth parties)
- How credible are the individuals on their executive team?
- How many customers do they have?
- How satisfied and dissatisfied are their customers?
Ultimately, TPRM considerations and controls will depend on your industry and the type of services and data you choose to outsource. Based on these factors, as well as the questions outlined above, you can start building a strong program that mitigates third-party risks and secures all sensitive data.
Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.
