Third Party Risk Management and Data Security: Vetting Vendors and Limiting Access

Third Party Risk Management and Data Security: Vetting Vendors and Limiting Access

In today’s interconnected business environment, companies regularly grant third party vendors access to sensitive data to enable essential services and operations. However, high profile data breaches resulting from vulnerabilities introduced by third party relationships demonstrate the importance of thoroughly vetting vendors and limiting data access to mitigate risk. This article provides an overview of best practices organizations can implement to strengthen data security when working with external partners.

Conduct Thorough Due Diligence on Potential Vendors

The first critical step is scouring the field to select reliable vendors that make data privacy and security a top priority. Be sure to require compliance with recognized data security standards and frameworks as part of the vetting process. Examples include:

  • ISO 27001 – Establishes guidelines for organizational information security management best practices. Certified companies have implemented controls for areas like access controls, encryption, and incident management.
  • SOC 2 – Attests that service organizations have sufficient controls and safeguards for managing data based on 5 Trust Service Principles (security, availability, confidentiality, processing integrity and privacy).

In addition, review the type of privacy and security training the vendor provides to its staff. Documenting due diligence activities not only aids the vendor selection process, but also provides evidence that proper care was taken if any issues arise down the road.

Include Strong Contractual Controls

Once a vendor is selected, negotiate contracts that include provisions to safeguard sensitive data and privacy. Key clauses to consider include:

  • Requiring data encryption, access controls, and other technical safeguards to prevent unauthorized use or sharing of data
  • Obligating the vendor to immediately notify your company in the event of a data breach or other security incident
  • Allowing your company to audit the vendor’s data security and compliance practices
  • Enabling your company to exit the contract without penalty if the vendor experiences a data breach or fails to adhere to specified security standards

Maintenance of these compliance and ethics hotlines are key not just from a security standpoint, but also to avoid potential whistleblower issues down the line.

Limit Vendor Access on a Need-to-Know Basis

A common mistake that leaves data vulnerable is providing vendors open-ended access without restrictions. Implement controls to limit access for vendor staff to only what is necessary on a need-to-know basis.

  • Maintain a list of vendor staff authorized to access data under the contract and clarify they cannot exceed permissions without consent
  • Have a process to review and revoke individual access when no longer required for a specific role or project
  • Periodically review the overall vendor relationship to determine if data access is still essential or can be restricted

Define Emergency Contacts

Despite best efforts, breaches or other incidents can still occur when working with third parties. Establish clear contacts on both your company and vendor sides to report urgent data privacy and security issues. Quick notification and response is essential when dealing with potential loss or exposure of sensitive data.

Build in a Process for Exiting Relationships

Even long term vendor relationships can change over time or need to be terminated. Develop procedures to remove data access, facilitate secure return or deletion of stored data, and allow for quick contract termination if the vendor disregards data handling guidelines. Planning an exit strategy in advance enables a clean break that does not put data at risk if relationships deteriorate.

Strong Due Diligence and Access Controls Mitigate Third Party Risk

While today’s data-driven world makes third party vendors nearly unavoidable for many companies, proper vetting and limiting data access can significantly reduce risks. Conducting thorough due diligence, requiring compliance with security standards, negotiating strong contracts, monitoring access, designating emergency contacts, and planning for exit are best practices that demonstrate corporate ethics and integrity around data privacy. Taking a proactive approach and implementing controls for vendor selection, onboarding, management and offboarding enables organizations to benefit from business relationships while prioritizing data security.

Learn more here about how Ethico can help with the vetting of your vendors and other third parties. 


Referenced Work

SOC 2 Type 2 Report. (n.d.). Retrieved from https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

ISO/IEC 27001 Information Security Management Standards. (n.d.). Retrieved from https://www.iso.org/isoiec-27001-information-security.html

Limiting Access to PII and Managing Access Controls. (2020). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-122/final