SolarWinds Third-Party Breach: 7 Questions to Ask Your Vendors
According to a recent Ponemon study, 61% of U.S. companies said they experienced a data breach caused by vendor or third party. In light of growing threats, many regulations and frameworks now require organizations to assess and monitor suppliers and service providers for potential risks.
As businesses continue to diversify and globalize, organizations looking to focus squarely on core business functions are turning to third parties to fulfill specialized services, such as web hosting, payments processing and cloud services.
In the face of growing cyber threats in this extended ecosystem, many organizations are now required to develop effective third-party risk management programs to meet regulatory compliance and deepen IT security controls.
Only Prevalent enables you to meet compliance mandates for both assessing and monitoring the risk of your organization's vendors, suppliers and other third parties using a single, unified platform.
Design a new TPRM program, or optimize your existing program, with Prevalent Professional Services and Risk Operations Center experts.
Leverage a library of 50+ standard assessments, or build your own custom surveys, backed by fully automated workflow management.
Conduct continuous cyber and business monitoring to reveal potential vendor risks and inform prioritization and risk awareness.
Tune analysis and scoring to your organization's specific risk tolerances and other unique business requirements.
Map answers to control frameworks to measure compliance, project future risks, predict business outcomes, and gain remediation recommendations.
Communicate compliance and risk status across the vendor landscape with reports tailored to assessors, executives and other stakeholders.
Prevalent has helped us have an evidence-based methodology of third party compliance.
— Project Manager, Small Business Professional Services Company
Satisfy Assessment AND Monitoring Requirements
All regulations, guidelines and industry standards listed below require the use of internal, control-based third-party risk assessments. While outside-in risk scoring or ranking can deliver risk insights, it does not meet compliance requirements when used as the only mechanism to evaluate vendor risk.
Regulation & Guideline / Industry Standard & Framework | Assessment Required | Monitoring Required |
---|---|---|
REGULATIONS | ||
CCPA |
|
|
CMMC |
|
|
EBA Guidelines on Outsourcing Arrangements |
|
|
FCA FG 16/5 |
|
|
GDPR |
|
|
HIPAA Security Rule |
|
|
OCC Bulletin 2013-29 |
|
|
OCC Bulletin 2017-21 |
|
|
NERC CIP |
|
|
NY DFS 23 NYCRR 500 |
|
|
NY SHIELD Act |
|
|
GUIDELINES | ||
CSA CAIQ |
|
|
FFIEC BCP Booklet: Appendix J |
|
|
FFIEC Information Security Booklet |
|
|
INDUSTRY STANDARDS | ||
AICPA SOC2 |
|
|
ISO 27001:2013 |
|
|
ISO 27002:2013 |
|
|
ISO 27018:2019(E) |
|
|
NIST CSF 1.1 |
|
|
NIST SP 800-53R4 |
|
|
PCI DSS |
|
|
SOC 2 |
|
See why Prevalent is named a Leader among 23 IT VRM providers
This complimentary guide distills 5 key best practices for third-party risk management from our 15+ years...
This free Third-Party Risk Management RFP Kit includes a customizable questionnaire, solution comparison sheet, and scoring...