Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Third-Party Vendor Risk Management Policies: Best Practices to Implement Now

Building a clear set of policies can help propel your organization’s third-party risk management practices and ensure that risk is considered throughout the due diligence process and vendor lifecycle.
Brenda Ferraro
Vice President of Third-Party Risk
June 03, 2021
Blog third party vendor risk management policy 0621

Third-party risk management (TPRM) policies establish guidelines and practices for how organizations assess, monitor, remediate and report on the risk posed by vendors, suppliers and business partners.

Why TPRM Policies Are Important

Many organizations overlook the importance of having a clear, standardized, and actionable set of cybersecurity policies and procedures. Third-party risk management policies are even more critical. No matter how good your organization's cybersecurity posture is, poor third-party risk management practices pose an existential threat to your company’s data and supply chain. Many organizations have suffered significant disruptions and even lost vast amounts of customer data from third-party, fourth-party, and even Nth party breaches. It has never been more important to have a clearly defined vendor onboarding process with standardized risk assessment questionnaires and metrics.

Third-Party Data and Supply Chain Threats

Designing a set of third-party risk management policies can seem daunting. You may have to consider hundreds of vendor relationships across dozens of departments including operations, technology, and accounting. Some relationships may already exist, and some may be in the process of onboarding. Ensure that you consult stakeholders across multiple departments throughout the process to make sure that your policies are implementable and applicable to different parts of the organization. Building a clear set of policies can help propel your organization’s third-party risk management practices and ensure that risk is considered throughout the due diligence process and vendor lifecycle.

Consider Compliance When Drafting Third-Party Risk Management Policies

Before you begin writing your third-party risk management policies, take the time to review your own internal compliance requirements. Here are some requirements to consider when drafting your policies:


The California Consumer Privacy Act (CCPA) regulates business’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how that information is used.

Cloud Security Alliance CAIQ

The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ) was developed as an industry standard for documenting security controls, and it can be used to aid in security evaluations of IaaS, PaaS, SaaS and other cloud service providers.


The Cybersecurity Maturity Model Certification (CMMC), is a comprehensive framework from the U.S. Department of Defense designed to protect the defense industrial base from increasingly frequent and complex cyberattacks and to ensure that the national defense supply chain is secure and resilient.

EBA Outsourcing Guidelines

The European Banking Authority (EBA) Guidelines on Outsourcing Arrangements outlines specific provisions for the European banking sector's governance of outsourcing arrangements and related supervisory processes.

FCA FG 16/5

The Financial Conduct Authority (FCA) regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the United Kingdom. FCA FG 16/5 is designed to help financial firms effectively oversee all aspects of the lifecycle of outsourcing arrangements.

FFIEC IT Exam Handbook

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body empowered to establish guidelines and uniform principles and standards for the federal examination of financial institutions. The FFIEC IT Exam Handbook is one of a series of booklets on specific topics of interest to field examiners that prescribe uniform principles and standards for financial institutions.


The General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR covers any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of the organization’s location


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to ensure that sensitive protected health information (PHI) would not be disclosed without the patient’s consent.


The International Organization for Standardization and the International Electrotechnical Commission (IEC) assemble experts to share knowledge and develop international standards to solve global challenges. The ISO 27001, 27002, 27018, 27036-2, and 27701 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

Interagency Guidance on Third-Party Relationships

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued the Interagency Guidance on Third-Party Relationships to help U.S. banking organizations manage risks associated with their vendor and supplier relationships. It's goal is to bring uniformity and consistency to how banking organizations develop and enforce risk management principles as they relate to third-party relationships.


The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES).


The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. Several NIST special publications, including NIST 800-53, NIST 800-161, and the NIST Cybersecurity Framework (CSF) have specific controls that require organizations to establish and implement the processes to identify, assess and manage supply chain risk.


The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data protection law that applies to organizations that collect personal information from residents of New York State. It is designed to improve cybersecurity protections and data breach notification procedures.

NY CRR 500

The New York State Department of Financial Services (DFS) instituted 23 NY CRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.


The Payment Card Industry Data Security Standard (PCI DSS) was developed to enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. The standard applies to all entities that store, process or transmit cardholder data.


The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) has developed trust services criteria for organizations to use as a framework for demonstrating the confidentiality, integrity and availability of systems and data. Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that these trust services criteria are used to report on the effectiveness of their internal controls and safeguards over infrastructure, software, people, procedures, and data.

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read Now
Feature tprm compliance handbook 0821

Additional Compliance Considerations

When designing your policies and procedures, make sure to consider broad compliance requirements that may impact business operations. For example, if your company deals with protected health information (PHI), it is important to use your third-party risk management policies to spell out exactly how and when that information is shared with other organizations. Third parties, fourth parties, and Nth parties are required under HIPAA to employ the same safeguards as the primary organization when dealing with protected health information. Failure to comply with these rules can result in large fines to both you and your business associates down the chain.

Many information security requirements place strict limits on the type of data that can be shared with third parties. Make sure to also pay attention to requirements that affect individual business units. For example, GDPR places strict limitations on how the data of European nationals is stored, protected, and transferred. In many cases, only one department, such as marketing, may work with European data. It is critical that you assess the types and quantities of data gathered across the organization to determine compliance needs rather than making assumptions based on your industry.

Your policies should clearly define what information is shared with third parties, when it is shared, and what the protocols are for ensuring the information is protected. In many cases, you may want to require that third-party organizations dealing with sensitive data comply with independent information security requirements such as SOC2 or HIPAA. Failure to do so could result in non-compliance with critical regulatory requirements as well as reputational damage should a third party experience a data breach. Before providing a third party with sensitive information, it is critical to conduct extensive third-party due diligence.

Third-Party Due Diligence Failures

Base Your Third-Party Risk Management Policies on Widely Accepted Standards

Fortunately, you don’t need to come up with all the controls yourself. When planning out your third-party risk management program you can borrow from widely accepted third-party risk management frameworks such as NIST 800-161 or Shared Assessments TPRM Framework. Using these pre-built frameworks can provide excellent guidance regarding the types of controls that should be included in your third-party risk management policies. Third-party risk can come in a variety of forms. By adhering to a battle-tested framework, you can ensure that your vendor risk management is comprehensive.

In addition, you can utilize other frameworks such as NIST CSF v1.1 and ISO 27036 to help you design your vendor risk assessment questionnaires. Questionnaires are an essential part of the vendor risk management lifecycle and should be mandatory for all new service providers. Third-party risk management policies should clearly stipulate how and when business units are required to administer questionnaires, as well as define acceptable levels of residual risk.

We recommend reviewing Shared Assessments and NIST 800-161 to help plan out what your program needs to look like and the types of controls that are worth including. You can then pick specific controls for your questionnaires from standard information security frameworks. In many cases, we find U.S.-based organizations often rely on NIST, while companies in Europe, Asia, and Africa often choose ISO.

Require Standardized Third-Party Documentation

Make sure that your organization is operating from a standard set of documentation when dealing with third-party relationships. Non-disclosure agreements, third-party risk questionnaires, and service level agreements (SLA’s) should be as uniform as possible throughout the procurement lifecycle. Standardization is particularly important when creating your organization's vendor risk assessment questionnaire. Without a standardized vendor evaluation process, you can’t compare different vendors based on the level of risk they pose to your organization.

Documentation for TPRM

Third-party risk policies should stipulate that third-party vendors are evaluated based on their level of risk and that high-risk vendors are forced to remediate before becoming part of the supply chain. Vendors should also be continuously monitored for cybersecurity risk, operational risk, and compliance risk throughout the business relationship. Just because an organization was low-risk at the time of onboarding does not mean they will remain so.

Consider 4th Parties in Your Risk Policies

Larger businesses with hundreds of third-party contractors are most likely to fall into this category. A fourth party may be subcontracted by a third party. If the subcontracted provider does not adhere to the same information security practices as the primary contractor, then malicious actors may be able to gain access to your organization's data. In many cases, criminal groups may try to penetrate the fourth party and work their way up the system laterally until they find the PII they are looking for.

Contracts between businesses and suppliers must have provisions for fourth parties. If third-party associates are permitted to subcontract, the SLA should require that the fourth party follow the same cybersecurity guidelines as the parent business. If a corporation was unaware that a fourth party was involved and was the source of a data leak, it would be found liable and subject to fines by regulators.

On-Demand Webinar: Avoid These 5 TPRM Mistakes

Third-party risk practitioners from Lowe’s, Pfizer, Cincinnati Insurance and Blue Cross/Blue Shield of Kansas City discuss lessons learned when building their third-party risk management programs

Vendor Risk Policy Checklist

Still concerned about being comprehensive enough in your third-party risk management policies? Here are some controls we would recommend to build into your comprehensive vendor risk management policies. For a more comprehensive list, check out our Vendor Risk Management Checklist post.


  • Vendors required to complete standardized vendor risk assessment questionnaire prior to onboarding

  • Profiling and tiering to implement a repeatable methodology for assessing vendors

  • Inherent and residual risk scoring and tracking to clearly identify which vendors present the most impactful risks to the business

  • Continuous monitoring after onboarding

  • Vendors are periodically reevaluated to determine if their level of risk has changed

  • Workflows and ticketing to automate communications

  • Flexible risk weightings that granularly define the importance of specific risks to the business


  • Third-party vendors are evaluated for compliance concerns prior to onboarding

  • Data shared with third parties is carefully documented and retained

  • Third parties storing your organization’s data are required to remediate non-compliant practices prior to receiving sensitive information

  • Business monitoring from hundreds of thousands of sources providing intel on business, regulatory, reputational, or legal issues

  • Optional: Vendors are required to obtain information security certifications prior to onboarding

Information Security

  • Vendors are continuously monitored for cybersecurity risk throughout the contract

  • Cyber monitoring from deep/dark web for real-time risk intelligence insights

  • Unified risk register that correlates cyber and business risk events with assessment results to validate vendor-reported control data

  • Transform incoming vendor cyber and business event data into actionable risks, giving you real-time risk visibility

  • Trigger actions like sending notifications, creating tasks or flags, elevating risk scores, accelerating the risk mitigation process

  • All contracts with third parties have clear language denoting how data shared with third parties is protected

  • Vendor agrees to delete all organization data upon contract termination

  • Vendors contractually obligated to notify the organization of any security breach or suspected data breach

  • Vendor security policies are thoroughly reviewed and checked against vendor questionnaire answers


  • Vendor required to provide updates on key personnel, financial, and other areas that could impact supply chain

  • Each department is required to submit vendor data to a central repository

  • Vendors deemed to be “high-risk” required to remediate risks to an acceptable level in order to work with the organization

  • Third-party vendors contractually required to adhere to clear offboarding instructions including the return of equipment, lanyards, badges, and the deletion of any passwords or other sensitive information

  • Fourth parties and beyond are considered when drafting SLA’s and other key contracts

Third-Party Risk Management Policies and Practices

Implementing an efficient risk control scheme for third-party providers takes time and money. Whether you employ an IT expert or use business services, this is reality. There are several advantages to adopting third-party risk control strategies and procedures, regardless of how daunting it can be.

The Prevalent Third-Party Risk Management Platform unifies vendor management, risk assessment, and threat monitoring to deliver a 360-degree view of risk. The platform makes it easy to onboard vendors; assess them against standardized and custom questionnaires; correlate assessments with external threat data; reveal, prioritize and report on the risk; and facilitate the remediation process.

Regardless of where you are today, Prevalent can help you build a third-party risk management program with unmatched visibility, efficiency, and scale. We’ll work with you to find a mix of managed services, network membership, and/or TPRM platform access that works best for your organization. You’ll gain a fast time to value, be equipped to make intelligence-driven decisions, and measurably reduce vendor-related risk – all with fewer headaches for you and your team. Request a demo now.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo