This blog is the first in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls such as assessing compliance with regulations, vetting third-party security practices, and establishing data breach and cyber exploit incident response procedures. While the complexity of cyber risks intensifies, together with an increasingly challenging privacy and security regulatory environment, the overall maturity of third-party risk management programs is barely keeping up. Resource constraints, a lack of standardization of risk assessment processes and the difficulty of determining the “source of truth” of data held by third parties continue to dog many organizations.
Part 1 – Ensuring Compliance With Data Protection and Privacy Regulations
As states continue to promulgate new data privacy and security regulations, including the California Consumer Privacy Act (CCPA), it is increasingly vital that organizations ensure that third parties providing critical infrastructure or operational support, or with access to personal and other sensitive information such as financial, health and other regulated data (sensitive data), comply with not only such states’ laws but also federal and international prescriptive regulatory controls and processes, by considering the following steps:
- Data inventory. Organizations must determine what types of sensitive data third parties access, store, process, use and/or transfer on the organization’s behalf. Organizations then need to determine which of these regulations apply to that sensitive data, as several different regulations may control the same sensitive data elements. In making this determination, organizations may wish to conduct a sensitive data assessment of their third parties via a brief questionnaire. But to be effective, the questionnaire must be distributed among every potential third-party holder of sensitive data to ensure that no potential pool of sensitive data is overlooked.
- Risk assessment. Organizations should identify all their vendors and other third parties, together with their subcontractors, that store or process sensitive data or provide critical infrastructure or operational support, and subsequently assess and prioritize the level of risk associated with such vendors and third parties. (A discussion of how to assess such level of risk will follow in a future blog in this series.)
- Gap analysis. Organizations should perform gap analyses to assess the current state of sensitive data protection regulations and identify how the organization’s sensitive data is flowing and used by third parties and their subcontractors.
- Contract review. Organizations often have a legal obligation to establish specific contractual terms between them and third parties that store, access or process sensitive data, with the terms clearly defining the roles, responsibilities and liabilities of both parties.
- Conduct a data privacy impact assessment (PIA). Conduct a sensitive data PIA to identify and mitigate the sensitive data privacy and security risks of third parties. The PIA should address the following areas:
- Data: The types of sensitive data, where this sensitive data is stored and how it is used and deleted.
- Access: The individuals, departments and systems that have access to sensitive data.
- Control: The current policies and procedures for sensitive data collection, use and compliance, and how controls are checked and documented.
- Continuous monitoring: Continuously monitor the third parties and their subcontractors to identify sensitive data privacy and security risks, and set alerts for high-risk third parties and their subcontractors.
- Policies: Organizations should assess whether third parties maintain written, enforceable policies that contain processes, controls and other governance that require the third parties to comply with their obligations under applicable data privacy and security regulations.
Part 2 of this blog series will examine procedures for enforcing third parties’ noncompliance with an organization’s security requirements.