“Third Party Risk Management (TPRM) is the process of identifying, assessing, and controlling risks presented through the lifecycle of a relationship with third parties.
“Third parties can perform any number of activities and services both internally and externally at a company, from landscaping and cleaning services, to managing intellectual property, processing customer data, outsourcing business functions, and countless other activities. ”
“The average company has nearly 600 vendors who have access to customer personal identifiable information (PII).
“Because they have access to your customer data or your network, performing due diligence on your third parties is crucial. TPRM amasses all the relevant information from the vendor to gather, review, and provide guidance on their risks. It is an end‐to‐end process, from the intake of the vendor to their offboarding when their service is no longer needed.”
“A large firm in a highly regulated sector will have a department of resources with well‐defined policies and processes to guide the risk oversight from end‐to‐end, while a smaller entity will not.”
“Lines of defense: In organizations large enough, create at least three lines of defense:
First line of defense: Business owners (of the service/product of the vendor).
The First Line of Defense is embedded in the daily business operations. Operational management identifies risk and then assesses, mitigates, and controls it.
Second line of defense: Third‐party oversight group. The role is to monitor the First Line of Defense for adherence to policies and procedures.”
Third line of defense: The internal/external audit teams (for observance to the policy).
“The Third Line of Defense contains the internal auditors whose role is to act as independent auditors and advisors to executive leadership and/or the board of directors. ”
“The basics for all these frameworks follow:
Inventory: Design a process to keep stock of all vendors for the company.
Risks: Establish a list of all risks (cybersecurity, in our case) that the company can be exposed to from third parties.
Risk‐based approach: Create categories and risk levels (e.g., high, medium, low) to focus on critical risks.
Due diligence process: Design a process to review and produce risk profiles for vendors that fit the risk levels you have set.
Stakeholders and decision‐makers: Ensure you have identified a decision‐making team for governance and decisions.
Benchmarks: Set thresholds and alert levels to measure your adherence to the program.”
Data security includes the creation of and adherence to policies, methods, and means to secure protected data. Data privacy includes the proper use, collection, deletion, and storage of protected data.
Data security revolves around the CIA triad—Confidentiality, Integrity, and Availability—where all the people, processes, and practices involved to secure data are not being accessed improperly (Confidentiality); it’s ensured that data is not altered without proper authorization (Integrity), and that it is available to the authorized users when needed (Availability). Any data security program will speak to the requirements to collect only required data, protecting it through encryption and securely discarded destruction when no longer required for use and retention.
When collecting or processing personal data, the users/owners of that data have an expectation to use it in ways to which they agreed for its use and processing. The regulations like GDPR, CPRA, and others are enforcement mechanisms to ensure that if an organization does not correctly inform, use, store, process, or resell private information, it is held financially responsible.”
Data Centric 