With the introduction of regulations such as the GDPR, organizations must not only monitor their own processes, but are also responsible for ensuring that their vendors can protect the personal data of customers, employees, and prospects. The supplier assessment is a thorough evaluation of your vendors and their data-privacy practices. Carrying out these assessments protects you from partnering with substandard/inadequate vendors and the potential repercussions of non-compliance.
In part 4 of our Guide To Data Privacy And Security, we shared a few tips on how you can create an efficient third-party management program. These guidelines help to establish ownership and the purpose for each vendor by categorizing, organizing, assessing, and shaping the required documentation. Next let’s take a deeper dive into some of these concepts, starting with the supplier assessment process itself.
Asking The Right Questions
Supplier assessments should be focused on the vendor’s ability to provide quality services, but from a risk analysis perspective, we are more concerned with the security of the service provider. The most important question here should be: how does the supplier comply with existing privacy regulations and security standards?
The assessment must take place before the vendor service contract is finalized and the Statement of Work signed. This is the perfect time to ensure the vendor meets the compliance requirements and, if necessary, acts as an opportunity to negotiate additional security and privacy provisions. These arrangements must be based on the result of your assessment and any potential risks associates with that vendor, including:
- The type of data they will be storing and processing;
- The local privacy regulations;
- Your business requirements;
- Your contractual requirements (with your clients); and
- Their adherence to security standards.
Establishing a Security Assessment Framework
There are several questionnaires at your disposal from different organizations, but, probably, the most popular ones are:
- Standardized Information Gathering – SIG, SIG-Lite or SIG Core – from Shared Assessments;
- Consensus Assessments Initiative Questionnaire – CAIQ or CAIQ Lite – provided by the Cloud Security Alliance (CSA)
These ready-to-be-used assessments are great tools for a comprehensive review in high-risk applications because they put together multiple norms in a pre-structured way. However convenient these standardized assessments may be, they can be expensive to procure and time-consuming to configure. In this case, one alternative is to ask yourself – is there a unique framework that addresses the most relevant safeguards?
While there is no right answer to this question, we believe the ISO 27000 series provides a comprehensive data protection framework that would suffice for most organizations. If you put together the main controls from ISO 27001 and associate them with the basic privacy principles, you should be able to determine if:
- Are there formal security programs in place?
- How is data protected?
- Is there a vulnerability management program in place?
- How is business continuity managed?
Besides security, it is important to assess suppliers based on their compliance with privacy regulations. There are particular requirements based on data breach prevention and communication, data collection, and the use of data centers.
Most privacy laws already set the tone for third-party engagement. There are legal requirements that bind the relationship even before a contract is signed. Assessing these processors or sub-processors is required based on privacy principles, such as:
- Lawfulness, Fairness, and Transparency
- Limitations on Purposes of Collection, Processing, and Storage
- Data Minimization
- Accuracy of Data
- Data Storage Limits
- Integrity and Confidentiality
You can build a set of questions based on compliance with those principles and have a good understating of how the vendor manages their privacy program.
Every organization invariably confronts some risks and presents vulnerabilities at a certain level. But a well-established supplier assessment process should actively minimize these risks, especially if you rely on that vendor to deliver your own service. Reviewing performance metrics, security controls, and privacy compliance can help you develop a reliable quantitative assessment of the risks posed by your supply chain.
A Guide to Data Privacy and Security
Part 2: Policies and Procedures
Part 3: Accountability
>>Part 5: Supplier Assessment Process
Part 6: Data Processing Agreements
Part 7: Data Categorization and Mapping
Part 8: Privacy Assurance
How Can StandardFusion Help?
StandardFusion is a comprehensive GRC software that includes extensive vendor management features, allowing privacy and security professionals to use it as a single system of record. Within the tool, users can classify vendors, create questionnaires for specific purposes or vendors, and send these assessments directly from the system. Connect with our team and see how to quickly develop a reliable supplier assessment while managing your vendors as part of your wider compliance program.