|
> > |
META TOPICPARENT | name="FirstPaper" |
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.
Third Party Services and Privacy Risk: Establishing a Framework for Mitigating Risk
-- By AliJimenez - 11 Mar 2022
The Need for Third Party Vendor Services
Companies have increasingly relied upon vendors for services. Third party vendor use has been defined as “a person or company that provides services for another company (or that company’s customers).” These services range from providing assistance with cloud web hosting services, cloud-based software solutions, equipment maintenance, HVAC servicing, and contractors to name a few. Companies often seek to establish vendor relationships because services are unavailable in-house, or because they are attempting to minimize costs. Yet, the use of these services bring issues to individuals and company privacy.
Privacy Concerns Within Third Party Vendor Services
Third Party Vendors are Prone to Hacking
With the rise of outsourcing to third party vendors, there has been an additional need to establish safe vendor relationships. This is because the choice to utilize vendors has led to significant cyber breaches. Essentially, while a company themselves can establish high-security standards and effective risk management policies, a vendor that does not have similar considerations can leave the company in a compromised position. Additionally, cybercrime has risen during thel COVID-19 pandemic. Remote work has simultaneously left companies and vendors more at-risk of cybersecurity threats.
Risk Extends Beyond the Primary Vendor
Despite the fact that companies outsource their needs to third-party vendors and consciously enter this decision to outsource their data, the scope of privacy risk is large because third-party vendors also utilize their own third-party vendors. Thus, organizations must understand how their data is being outsourced. Making matters worse, third-party risks are not limited to attacks on the vendors themselves, With the frequent use of cloud storage, companies are even more susceptible to privacy breaches and data exposures by their vendors.
Risk Relating to Third Parties Retains with the Primary Company
Despite the fact that companies outsource their needs to third-party vendors and consciously enter this decision to outsource their data, the scope of privacy risk is large because third-party vendors also utilize their own third-party vendors. Thus, organizations must understand how their data is being outsourced. Making matters worse, third-party risks are not limited to attacks on the vendors themselves, With the frequent use of cloud storage, companies are even more susceptible to privacy breaches and data exposures by their vendors.
Risk Relating to Third Parties Retains with the Primary Company
While data breaches are not always at the hands of the original organziation, for customers, these breaches will always be associated with the company they are doing business with. Thus, even if a breach is a result of a third-party services provider, the organization is seen as the source of that privacy concern. This also presents legal issues since the organization itself often will have difficulty showing the steps it took in risk mitigation and will retain responsibility even if a third party handled its data. Thus, it is essential for organizaitons to set up strong cyber vendor management procedures. Not only for customers, but their own safety.
Potential Solutions to Maintaining Privacy Amidst Third Party Vendor Use
As a result of all of these risks and implications, the Department of Financial Services issued guidance identifying several areas of heightened cybersecurity risk as a result of the COVID-19 crisis. Under the four-step gradually phased plan, companies must comply with stricter cybersecurity regulations. Applicable to mitigating vendor cyber risks, under the fourth phase of this plan, companies must maintain a third-party service provider policy. To do so, companies must certify implementation of a vendor diligence program that includes procedures to identify and assess vendor risks.
Vendor Management Framework
Identifying the Risk
To establish an effective framework, a company should identify the risks associated with engaging with its vendors and rank its vendors by risk levels.
To identify risk levels, the company must first identify vendors and potential vendors that will obtain access to its internal systems and its confidential data. Based on this information, the company should initiate the process to evaluate the level of risk involved in working with the vendor through the use of questionnaires. After administering questionnaires, companies should assess and rank vendors by the level of risk presented—low, medium, or high.
Implementing Controls
With established risk levels in place, the company should then consider implementing necessary controls. These controls should be included in the cybersecurity vendor management policy and should be curated to mitigate the distinct risks posed by each differentiated risk level. Not all risk levels necessitate the same controls. For example, a vendor that is identified as high-risk since they require social security and payment information of customers would need more stringent controls than that of a low-risk company that requirements minimal amounts of personal information. Once controls are determined, companies must outline cybersecurity expectations through contractual provisions.
Outlining Contractual Provisions
If the company chooses to engage with medium and high-risk vendors, it is essential to implement adequate contractual provisions. Outlining clear cybersecurity expectations can ensure that a company has proper protections in place to mitigate risks involved with medium- and high-risk vendor relationships. To safeguard company interests, ensure your contractual provisions cover expectations such as: cyber standards, incident management controls, and risk mitigation procedures.
Conclusion
As previously stated, cybersecurity threats are becoming more prominent. Preventing these threats from occurring is impossible, but establishing an effective vendor management framework that takes on a risk-based approach to vendor obligations can minimize these threats and potential breaches. Establishing an effective vendor management framework that takes on a risk-based approach to vendor obligations can minimize these threats and potential breaches.
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list. |
|