Third-Party Data Security: Assessing Risk and Ensuring Compliance
Information security within an organization can be complex. Factoring in the additional risk posed by sharing information with third parties makes matters infinitely more complicated for enterprises.
What should you consider when looking for a vendor? Once you’ve established a relationship, how can you better control security risks as they pertain to vendors and other third parties?
How to Vet Potential Vendors
When you’re in discussions with potential vendors, schedule a time for your security and IT team to visit them on-site (if possible) to find out how they handle their data. If you’re unable to visit the vendor, be sure to schedule a conference call to discuss all your concerns. At the very least, the vendor should have well-established security policies that are regularly reviewed and should also regularly back-up all data as well.
It’s also essential that every vendor perform their own regular security audit(s) as well as conduct background checks on any employee who will have access to sensitive data.
Assessing Current Vendors
If your organization is already established, you no doubt have a large network of third parties with whom you already have a relationship. The following steps will give you a framework by which to assess and address potential data risks posed by those relationships.
1. Create an inventory of all third parties with whom your organization has a relationship.
An effective information security plan involves not only mapping the flow of data within your organization but also involves laying out which vendors have access to that information. For a smaller organization, this may involve a few dozen vendor relationships, while a larger organization may have thousands of third parties with whom it shares data. Creating an inventory of these vendors is key to assessing any potential risks.
2. Catalog specific risks third parties pose to the client and organizational data.
What sort of information do your vendors have access to? This will determine the kind of risk that could be posed in the event of a breach. Cataloguing which vendors can connect into customer accounts or handle sensitive financial information will help you determine the level of risk each third-party poses.
3. Compile a risk-based segmentation of third parties to determine which ones pose the greatest risk.
Once your organization has created a list of vendors and determined the types of information that is at stake, it’s time to use that information to create a risk-based segmentation of third parties with whom you have a relationship. Being able to separate the high-risk relationships from the low-risk ones will help you streamline your approach and know where to focus first.
4. Design a rules-based process to conduct due diligence on each vendor based on their activities and area(s) of operation.
Designate specific due diligence processes for high-risk versus low-risk relationships, so your team doesn’t waste time and resources where they aren’t needed. A high-risk relationship with a vendor that doesn’t have access to the personally identifiable information (PII) of your customers would be handled differently than a high-risk relationship with a vendor that holds customer PII, such as social security numbers or credit card information.
5. Create a framework for escalation and oversight.
It’s essential that everyone in an organization is on the same page when it comes to third-party risk(s). A framework must be established to identify risks, address them, and ensure compliance amongst third parties. Should a potential risk become a reality, there needs to be a process in place to allow quick decision-making and action. Having internal oversight and an ability to escalate are key components when managing vendor relationships.
With the proper vetting and an information-mapping and decision-making framework in place, your organization will be able to better protect itself and your clients against the threat of a security breach. If you have questions about third-party risks or would like more information about how to assess and mitigate them, contact the information security experts at CISOSHARE.
Information security experts with 20+ years of combined experience in developing, implementing, and securing highly regulated organizations.