- Do you inventory ALL external relationships with your business? These are noted as third-party relationships or according to the Office of Comptroller of Currency (OCC) anyone that has a nexus with your business.
- Do you already determine a third-party risk rating or classification on all of these connections from values of critical, high, medium and low? The OCC will be satisfied with an inventory of all relationships across the business from the paper supplier to the ATM repair technician to the various services that are performed front end and back end at the business. Classifications will align with standards that are identified to properly rate each third-party. By using a system that can measure each third-party equally against those standards, you will have consistent conclusions. Even if the third-party is large and well established, this does not mean anything should be assumed given the risk and data exposure involved with the third-party and any jeopardy to the reputation or brand of the business.
- Centralize Contracts, NDA, Certificate of Insurance, Verification of Business. Third-parties should be licensed to do business in the state, certify that they are in good standing, collect Articles of Incorporation document, W9 form filled out for tax purposes, OFAC verification with the government for watchlists, and anything else pertaining to viability of the business such as profit and loss statements, cash flow and if possible, as audited financials. Capture the renewal dates and values for followup on an annual basis by default. Longer based on third-party risk rating #’s.
- Expand due diligence and vendor attestation for critical and high rated third-parties. May include onsite visits, expanded questionnaires and deeper interviews based on whether client, internal or both — data is shared with the third-party. Based on the standards established, there may also be Medium and Low third-parties that need to have some form of expanded due diligence.
A one-size fits all per rating approach will not suffice. - Residual Risk reviews and
identify mitigating remediation whether it is accepted, pending a timeline to fix, or rejected by the risk management group, business owner or anyone in information security at the business.
Along with these 5 points, why not look into Smarter Tools? Tools that allow you to capture the content, centralize it and make it easy for the third-party to respond in a secure manner when it comes to their confidential and proprietary documents and files. Augment your team with subject matter experts that can properly vet the third-parties whether 10 or 300 providing the documentation necessary to satisfy the record for any future auditors.
Beyond just automated document collection and distribution, at Mere Secure we have options available for businesses that have no formal program or for those that have a program that could use some automation and improvements via add-ons.