Feb 18, 2021
Creating a Third-Party Management Program
So far in our Guide To Data Privacy And Security, we have covered how you can plan and develop your privacy framework, the role policies and procedures play, and how to distribute accountability within your privacy program. In part 4 of our guide, we look at how you can create lasting vendor relationships with a third-party management program.
Relationships between your organization and third parties can have a lasting influence on your company's success. While catering to your customers' needs is one thing, developing and managing relationships with vendors and third parties can also be tricky. Companies are engaging with each other more than ever, and with so many out there, you need to be sure that you can trust the external parties that your company relies on.
The Secret to Long-Lasting Third-Party Relationships?
According to industry standards like ISO, and the NIST and GDPR data privacy frameworks, the key factor to long-lasting vendor relationships is creating a third-party management program.
Each third-party relationship brings with it several risks that need to be identified, assessed, and treated. Depending on the type of data being processed, these unknown risks can have a significant impact on multiple levels of your organization. In this article, we will share 5 tips to help you create and manage a supplier program with efficacy while keeping your data secure.
Create a Use Case & Assign Ownership
There should be a reason when your company procures a new application, contractor, or supplier. This is what we call a "use case".
Each use case must tell a story, and someone in your organization must own this narrative. The asset (or system) owner is the stakeholder who understands the importance of that system, how it functions, and the type of data is flowing to and from.
Classify & Categorize
In most cases, creating a set of attributes will be necessary to map your vendors and suppliers. This will most likely happen when you are managing different privacy and security frameworks simultaneously. Based on data privacy requirements, it is expected that systems are classified based on the type of data they process, being:
Public Data
Confidential Data
Sensitive Data
After classifying the vendor based on data attributes, categorizing the vendors based on criticality to your service's operation will be helpful based on business continuity requirements. You can start with:
Critical Suppliers
Non-critical suppliers
Assess Your Vendors
Technical and organizational due diligence, including questionnaires, revision of SOC reports, and audits, must be performed prior to onboarding suppliers. Taking a risk-based approach to third-party screening can be done based on different risk categories and processing activities.
The level of security requirements must be proportional to the type of data and criticality of each vendor. For critical vendors responsible for processing your clients' confidential data, the most used tools are:
Revision of SOC 2 reports
ISO 27001 certificates and statements of applicability
SIG Questionnaire
Cloud Security Alliance Assessment
Optimize Contractual Requirements
It is a legal requirement to have minimum security requirements and data processing agreements (DPA) in place to amend Master Service Agreements. The main objective here is to establish a baseline to the minimum acceptable security controls maintained by third parties.
Among several technical and administrative controls that must be legally bonded to the service provided are:
Encryption and Key Management Policy
Vulnerability Management
Penetration Tests
Business Continuity Plan
Employee Training and Awareness
Document Everything
Your organization's tolerance to risk, legal requirements, and clients' expectations must set the tone for your third-party management program once you figure out what works for your company: document everything.
Having a documented Supplier Assessment and Monitoring process will ensure the consistency of your assessments and your records. It is also critical to have a repeatable process because you will have to re-assess your vendors every year or every other year (for non-critical suppliers).
Make sure your procedure is communicated internally, and the results of your assessments are discussed with internal stakeholders and leadership. This could be the key to gain support and visibility to your third-part management program.
Building Your Third-Party Management Program
In the context of data privacy, how an organization engages, assesses, manages, and communicates with its suppliers is of utmost importance. This will be the baseline to risk assessments, sub-processors programs, and data maps. Creating a set of requirements to approve the system, contractors, or products will establish the security and privacy baseline to your organization's data flow. Having all these requirements and steps documented will ensure continuous monitoring and improvement.
A Guide to Data Privacy and Security
Part 1: Preparing and Building Your Privacy Program Framework
Part 2: Policies and Procedures
Part 3: Accountability
Part 5: Supplier Assessment Process
Part 6: Data Processing Agreements
Part 7: Data Categorization and Mapping
Part 8: Privacy Assurance
How Can StandardFusion Help?
StandardFusion is a comprehensive GRC software that helps teams manage their inventory of vendors. Within the tool, administrators create vendor profiles, classify them, send questionnaires, store external documents, and set reminders based on re-assessment requirements.
StandardFusion's vendor management capabilities allow privacy and security professionals to use the system as a single repository of information. Request your demo and see how you can develop your vendor management program with StandardFusion!