Press "Enter" to skip to content

Third-Party Science

Published April 10, 2019 by Markus Schmucki
Markus Schmucki 0
  1. Do you inventory ALL external relationships with your business? These are noted as third-party relationships or according to the Office of Comptroller of Currency (OCC) anyone that has a nexus with your business.
  2. Do you already determine a third-party risk rating or classification on all of these connections from values of critical, high, medium and low? The OCC will be satisfied with an inventory of all relationships across the business from the paper supplier to the ATM repair technician to the various services that are performed front end and back end at the business. Classifications will align with standards that are identified to properly rate each third-party. By using a system that can measure each third-party equally against those standards, you will have consistent conclusions. Even if the third-party is large and well established, this does not mean anything should be assumed given the risk and data exposure involved with the third-party and any jeopardy to the reputation or brand of the business.
  3. Centralize Contracts, NDA, Certificate of Insurance, Verification of Business. Third-parties should be licensed to do business in the state, certify that they are in good standing, collect Articles of Incorporation document, W9 form filled out for tax purposes, OFAC verification with the government for watchlists, and anything else pertaining to viability of the business such as profit and loss statements, cash flow and if possible, as audited financials.  Capture the renewal dates and values for followup on an annual basis by default. Longer based on third-party risk rating #’s.
  4. Expand due diligence and vendor attestation for critical and high rated third-parties. May include onsite visits, expanded questionnaires and deeper interviews based on whether client, internal or both — data is shared with the third-party. Based on the standards established, there may also be Medium and Low third-parties that need to have some form of expanded due diligence. A one-size fits all per rating approach will not suffice.
  5. Residual Risk reviews and identify mitigating remediation whether it is accepted, pending a timeline to fix, or rejected by the risk management group, business owner or anyone in information security at the business.

Along with these 5 points, why not look into Smarter Tools? Tools that allow you to capture the content, centralize it and make it easy for the third-party to respond in a secure manner when it comes to their confidential and proprietary documents and files.  Augment your team with subject matter experts that can properly vet the third-parties whether 10 or 300 providing the documentation necessary to satisfy the record for any future auditors.

Beyond just automated document collection and distribution, at Mere Secure we have options available for businesses that have no formal program or for those that have a program that could use some automation and improvements via add-ons.

Markus Schmucki

Markus Schmucki

Markus Schmucki is the Founder, CEO & President at MereSecure Inc. a company focused on a software product called XMS. The platform helps organizations send documents and forms with clients, consultants, customers, sales prospects, vendors and suppliers. Markus previously was a co-founder of ExactBid for 15 years. His prior roles included VP Engineering, VP Product Development, VP Operations and Professional Services along with Chief Information Security Officer. He has experience in software engineering design, database design and in various information technology roles. He volunteers at non-profits helping with technology decisions. Markus has a Bachelor of Science in Aerospace Engineering degree from San Jose State University. He has resided in California for more than 30 years.

Published in Consulting, Credit Unions, Finance & Accounting, FinTech Companies, Industries, Information Security, Insurance Brokers, Mortgage Brokers, Uncategorized and Vendor Management