Developing a Third-Party Risk Management Policy: Best Practice Guide

Understand Your Regulatory Landscape

When designing policies and procedures, consider broad compliance requirements affecting business operations. For example, if your company handles protected health information (PHI), your third-party risk management policies should specify how and when to share this information with other organizations. Under HIPAA, third parties—and any further parties involved—must apply the same safeguards as your organization when handling PHI. Non-compliance can lead to substantial fines for your organization and any business partners.

Many information security requirements strictly limit the types of data you can share with third parties. Be sure to consider requirements specific to individual business units as well. For example, GDPR imposes strict rules on storing, protecting, and transferring data from European nationals. In many cases, only one department may handle European data. Rather than relying on industry assumptions, assess the types and volumes of data collected across your organization to determine precise compliance needs.

Clearly define in your policies what information you share with third parties, when you share it, and the protocols to protect it. Requiring third-party organizations that handle sensitive data to comply with standards like SOC 2 or HIPAA can strengthen security. Without these safeguards, you risk non-compliance with regulatory requirements and potential reputational damage if a third-party data breach occurs. Always conduct thorough due diligence before sharing sensitive information with any third party.

Base Your Third-Party Risk Management Policies on Widely Accepted Standards

Fortunately, you don’t need to develop all the controls yourself. When planning your third-party risk management program, you can borrow from widely accepted third-party risk management frameworks such as NIST SP 800-161 or Shared Assessments TPRM Framework.

Pre-built frameworks offer excellent guidance on the controls to include in your third-party risk management policies. Third-party risk can take various forms. By adhering to a battle-tested framework, you can ensure that your vendor risk management is comprehensive.

In addition, you can utilize other frameworks, such as NIST CSF 2.0 and ISO 27036, to help you design your vendor risk assessment questionnaires. Questionnaires are essential to the vendor risk management lifecycle and should be mandatory for all new service providers. Third-party risk management policies should specify how and when business units must administer security questionnaires and define acceptable levels of residual risk.

We recommend reviewing Shared Assessments and NIST 800-161 to help you plan your program's look and the types of controls worth including. You can then pick specific controls from standard information security frameworks. Often, U.S.-based organizations rely on NIST, while companies in Europe, Asia, and Africa tend to choose ISO.

Require Standardized Third-Party Documentation

Ensure your organization operates from a standard documentation set when dealing with third-party relationships. Non-disclosure agreements, third-party risk questionnaires, and service level agreements (SLAs) should be uniform throughout the procurement lifecycle. Standardization is particularly important when creating your organization's vendor risk assessment questionnaire. Without a standardized vendor evaluation process, you can’t compare different vendors based on the level of risk they pose to your organization.

Third-party risk policies should require evaluating third-party vendors based on their risk level and mandate remediation for high-risk vendors before they join the supply chain. Continuously monitor vendors for cybersecurity, operational, and compliance risks throughout the business relationship. Just because an organization was low-risk at the time of onboarding does not mean it will remain so.

Consider 4th Parties in Your Risk Policies

Larger businesses with extensive networks of third-party contractors are especially vulnerable to security risks. When a third party subcontracts a fourth party, weak security practices at any level can expose your organization’s data to malicious actors. Criminal groups often exploit vulnerabilities in these extended networks, working their way through subcontractors to access sensitive information.

To mitigate these risks, contracts with suppliers must include provisions for fourth parties. If a third-party vendor is permitted to subcontract, the SLA should require the fourth party to follow the same cybersecurity guidelines as the primary organization. Regulators can still hold a corporation liable and impose fines if a fourth party causes a data leak, even if the corporation was unaware of it.

Vendor Risk Policy Checklist

Here are some recommended controls to include in your third-party risk management policy:

General

• Require vendors to complete a standardized risk assessment questionnaire before onboarding.

• Use profiling and tiering to establish a consistent vendor assessment methodology.

• Score and track inherent and residual risks to identify vendors posing the greatest risk.

• Monitor vendors continuously after onboarding.

• Reevaluate vendors periodically to assess changes in risk level.

• Automate communications with workflows and ticketing.

• Use flexible risk weightings to specify the importance of individual risks.

Compliance

• Evaluate third-party vendors for compliance issues before onboarding.

• Document and retain records of all data shared with third parties.

• Require third parties holding organizational data to correct non-compliant practices before accessing sensitive information.

• Monitor business developments across extensive sources to identify regulatory, reputational, or legal risks.

• Recommended: Require vendors to obtain information security certifications before onboarding.

Information Security

• Continuously monitor vendors for cybersecurity risks throughout the contract period.

• Contractually require vendors to notify the organization of any security breach or suspected breach.

• Review vendor security policies thoroughly and cross-check against questionnaire responses.

• Ensure vendors delete all organizational data upon contract termination.

• Include clear data protection clauses in all third-party contracts.

• Trigger actions such as notifications, tasks, risk score adjustments, and accelerated mitigation.

• Transform vendor cyber and business event data into actionable risks for real-time visibility.

• Maintain a unified risk register to correlate cyber and business risks with assessment results, validating vendor control data.

• Utilize deep/dark web cyber monitoring for real-time risk intelligence.

Operations

• Require vendors to update on key personnel, financials, and other factors impacting the supply chain.

• Have each department submit vendor data to a central repository.

• High-risk vendors are required to remediate risks to acceptable levels to maintain engagement.

• Contractually obligate third-party vendors to follow offboarding procedures, including returning equipment and badges and deleting sensitive information.

• Consider fourth parties and beyond when drafting SLAs and other critical contracts.

Third-Party Risk Management Policies and Practices Next Steps

By adopting third-party risk control strategies and procedures, your organization can navigate the complexities of vendor risk, support stronger security practices, and maintain compliance across all stages of the vendor lifecycle. Leverage a dedicated TPRM solution to streamline and automate these critical processes.

Discover how you can simplify third-party risk management with Prevalent. Schedule a strategy call or demo today.