Third-party risks have risen as more companies invest in their services and tools. Ponemon Institute claims that an average company shares sensitive data with up to 583 third parties. However, only 34 percent keep a detailed history of that. In this article at RM Magazine, Ilian Sotnikov discusses 5 early steps to manage third-party risks.
Third-Party Risks to Avoid
Since organizations want to have a competitive advantage, they are bound to share their internal data with vendors. This increases the risk of data leaks, even though unintentional. So, the C-suite executives must ensure that vendors comply by the organizational security and authorization protocols. Following are the early 5 steps to manage third-party risks:
Assess the Risks: Before giving access to your sensitive data, assess the third-party risks. To comply with HIPAA or FISMA, it is necessary to comply with their rules. If you need to pay for sharing information with service providers, it is a high-risk relationship you are shouldering.
Be Vigil Always: How you maintain the security standards to avoid third-party risks depends on the industry and business you are in. Always ask around for credibility of the vendor before signing a billion-dollar contract with them. Check if they have pending lawsuits against them or any negative press releases online. Demand how they maintain sensitive data of their partners and perform regular audits.
Have a Detailed Agreement: The contract should list what the vendors are accountable for to avoid third-party risks. HIPAA, in fact, makes it mandatory that you legally document the relationship with your vendor. The service provider should know the type of security protocols you require and the penalty for breaching those. Limit the hours of accessing your sensitive data beyond which you can escalate the issue to authorities for punitive actions.
Monitor Vendor Activities: Even after getting positive feedback and signing the agreement, keep an eye out for troubles. Set up tools that alert you about activities beyond the permitted limit. If you detect anything, analyze the gravity of the breach by the reports generated. Ask the service provider to deploy the same environment for easier detection. Assign personnel that will check for breaches in both environments.
Create a Standard That Every Party Should Follow: Suppose your customer detects a breach. Though it has occurred due to the vendor, you will be responsible for it. GDPR, PCI DSS, and HIPAA enforce stringent laws and the penalties are hefty. To avoid such third-party risks, create a standard that both you and third parties will abide by under any circumstance.
To view the original article in full, visit the following link: http://www.rmmagazine.com/2019/08/01/simplifying-third-party-risk-management/