Reduce unnecessary risk with thi...
Reduce unnecessary risk with third-party...

Reduce unnecessary risk with third-party risk management controls

As more tasks are outsourced to third-party providers, risk management programs become critical to securing sensitive data


clock4 Min Read

Featured Image

Third-party risk management (TPRM) is a necessary safeguard for any company that works with external entities, whether it’s a contractor, service provider, supplier, or partner. Third parties provide expertise in their given field, but they also increase the complexities and risks in your organization’s data security.

While TPRM is different for every organization, there are several best practices that help lay the foundation for a secure program.

In this article, we go over the two key steps in implementing reliable TPRM controls.

Step 1: Verify third party security efforts and compliance

Organizations of all industries and sizes rely on several vendors to perform their day-to-day activities. For example, Google Workspace provides standard email and documentation, Gusto is popular for payroll, and AWS offers a scalable cloud hosting experience.

A quick self-assessment can uncover all the vendors and third-party services being used throughout your organization. The following questions can guide your evaluation:

  • What is the product or service provided by the third party?
  • How critical is the process to your organization?
  • What information or data are you sharing with them?
  • What are they doing with your data?
  • What is their security posture?
  • Do they have SLAs?
  • What are the contract terms and required security certifications (i.e., SOC 2, ISO 27001)
  • Are their contractual terms aligned to what you expect for this type of service?
  • What is the perceived level of risk from each vendor?

Step 2: Monitor and assess vendors on an ongoing basis

Third-party risk assessments are necessary to protecting your company against breaches and other incidents. The method can be as simple as recording data in a spreadsheet or as comprehensive as implementing an assessment automation software.

When considering what factors are important for both you and your customers, here are some of the risk categories to keep in mind:

Information security: Assess controls related to the security, confidentiality, and availability of data shared with third parties

  • Do they have proof of security certification?
  • Do they conduct periodic assessments and ongoing monitoring?
  • What is their onboarding and offboarding process?
  • How do they priority security for their customers?
  • What is their process for dealing with incorrectly classified or unidentified customer data?

Monitoring gaps: Includes periodic assessments, ongoing monitoring, incident notification, onboarding and offboarding, and adherence to appropriate SLAs

  • What SLAs are included in their contract?
  • What is their reporting process regarding SLA compliance?
  • How will you monitor the third party to ensure they are providing the agreed-upon services?
  • What role does your procurement team play (if applicable)?
  • What role do other internal parties and stakeholders play (if applicable)?
  • What are the third party’s incident notification, response, and disclosure policies?

Business continuity: An increasingly important control, as third-party services and solutions are becoming more critical to your operations

  • How long has the company been around for?
  • What is included in their business continuity plan?

Regulatory requirements: Mandatory supervision of third-party suppliers for many regulatory requirements, especially for financial and healthcare services and other government organizations

  • What regulations impact their operations (i.e., GDPR, HIPAA, PIPEDA, PCI DSS)
  • What protocols do they have in place to meet these regulations?

Lack of due diligence: Involves the use of distributed IT environments, legacy suppliers, global suppliers with limited insight, the use of subcontractors by third parties (also known as fourth parties)

  • How credible are the individuals on their executive team?
  • How many customers do they have?
  • How satisfied and dissatisfied are their customers?

Ultimately, TPRM considerations and controls will depend on your industry and the type of services and data you choose to outsource. Based on these factors, as well as the questions outlined above, you can start building a strong program that mitigates third-party risks and secures all sensitive data.

Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.

You Might Also Be Interested In

JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

Onetrust All Rights Reserved