Vendor Security Definitions

VENDOR SECURITY TERMS

Third Party:  people or entities who are not employees, but work on behalf of an organization. They may include consultants, business partners, subcontractors, and suppliers. Third parties that access customer or company confidential data present unique risks due to the inability to directly address how they control access to the data.

Due Diligence:  A term that originates from US jurisdiction and is understood to mean care required before entering a transaction. Before entering into a contract with a third party, an organization should take reasonable steps to detect risks and verification of facts that underlie the business decision.

Third Party Risk Management (TPRM):  the process of identifying and managing the risks created when hiring a third party, based on the nature of the services provided by the third party. Generally, the primary focus is on data protection/privacy and IT security controls.

Risk Rating:  the establishment of tiers/classifications to prioritize the level of risk that a third party presents to an organization based on the nature of the services they provide. For example, a vendor that has access to private customer data or personal health information would require the most stringent controls.

Controls:  business practices, processes, and technology put in place to prevent loss from risks that are identified during risk assessments. Examples of controls are requiring background checks for new employees, establishing onboarding procedures for Privacy and Information Security Policy Training, requiring periodic review of a vendor's incident response plan, or supporting a complex password policy. Download the CIS Controls

Inherent Risk:  the amount of risk an organization has before any controls are implemented. An organization that has access to private customer data would have a higher inherent risk than a vendor that accesses no data.

Residual Risk:  A measure of the risk that remains after security controls have been applied.

Questionnaires:  A way to evaluate a third party vendor's risk. There can be many types of questionnaires like security, privacy, administrative, operational. Potential third party vendors respond to an organization's customized spreadsheet or to industry standard questionnaires as Shared Assessment's Sig or Sig Lite , Cloud Security Alliance's CAIQ or CAIQ lite , and the Vendor Security Alliance Questionnaire to determine if they are compliant with industry standard and regulatory requirements for information security.

Risk Acceptance:  Accepting a third party vendor's response to questionnaires without requiring any additional actions.

Risk Remediation:  Requiring a third party vendor to fix information security vulnerabilities identified through the evaluation process.

Data Classification Policy:  Data classification is the process of organizing data into categories for data protection and compliance purposes. The data classification policy defines the level of sensitivity or risk of data under a company's control. Federal Information Processing Standards (FIPS 199)   Data Classification For the Masses

Share by: