Vendor Risk Assessment Policy

Type of Risk Assessment

  1. Privacy Assessment : Evaluates how third parties handle, store, and process sensitive and personal data, ensuring adherence to privacy laws and regulations.
  2. Cybersecurity Assessment : Reviews the third party's cybersecurity policies, practices, and infrastructure to ensure they have adequate measures to protect against cyber threats and data breaches.
  3. Compliance Assessment : Checks whether the third party complies with relevant industry standards, regulatory requirements, and contractual obligations.

Frequency

  1. Initial Assessment :Conducted before establishing any formal relationship with the third party to ensure they meet our security standards.
  2. Annual Review :Each third party undergoes a comprehensive annual reassessment to ensure ongoing compliance with our security requirements.
  3. Event-Triggered Assessment:Additional assessments are performed in response to significant changes in the third party’s services, operations, or in the event of a security incident.

Areas of Controls Assessed

  1. Data Security :Evaluation of encryption practices, data handling procedures, and data retention and destruction policies.
  2. Access Control :Review of user access management, authentication mechanisms, and authorization processes.
  3. Network Security:Assessment of network architecture, firewalls, intrusion detection systems, and other defenses against external and internal threats.
  4. Incident Response and Management: :Examination of the third party’s ability to respond to and recover from security incidents, including their incident response plan and communication protocols.
  5. Employee Training and Awareness :Verification of regular security training programs for the third party’s employees, including awareness of phishing and other cyber threats.
  6. Physical Security :Inspection of physical access controls, surveillance systems, and environmental controls at the third party’s facilities.
  7. Business Continuity and Disaster Recovery :Assessment of the third party’s ability to continue operations and recover from a disaster or significant operational interruption.
  8. Regulatory Compliance :Review of the third party’s adherence to relevant legal and regulatory requirements, including GDPR, HIPAA, or SOX, depending on the nature of their services.

Our Information Security Risk Assessment Program for third parties ensures that we engage with partners who uphold robust security standards, thereby protecting our organization from potential security and compliance risks.