What is TPRM?
Modern organizations rely on third party vendors and outsourced services for their infrastructure and software supply chain. But while these partnerships achieve operational efficiencies (e.g., better tools, reduced hardware costs), they also introduce potential data protection risk:
- Privacy angle – what kinds of personal data the system or service will utilize, how, why, and whether there may be any out-of-context uses
- Security angle – whether the third party provides a secure and trustworthy environment for personal and other company-confidential information
- Legal angle – whether data protection and service delivery is in line with applicable legal/regulatory requirements and associated contractual commitments
Involving third parties always makes it more challenging for organizations to understand their information privacy and security risk, continually monitor them, and prevent outcomes like data breaches. And if any data jeopardized contains personal or sensitive personal information, those breaches threaten individuals’ rights and livelihood and involve legal or noncompliance penalties.
But through third party risk management (TPRM) processes, your company can better protect itself and its customers.
Third-Party Risk Management Processes
When managing a third party supply chain it is critical for organizations of any size to understand and identify the risks posed to their information assets. Any weaknesses in the third party’s data protection posture will affect the organization’s ability to steward customer (or end-customer) data.
Areas requiring careful consideration include:
- The criticality of the vendor’s services to your business operations
- The necessity of the personal information – corporate or end-customer – the vendor would receive or gain access to
- Whether the data will be transferred or accessed from another jurisdiction
- Whether the vendor’s technical and organizational measures are adequate in the context of the services being provided
- Whether the vendor can commit to service level agreements include support with privacy rights (data subject) requests, timely security incident notification (e.g. 72 hrs)
Ideally, your organization’s third party security and privacy risk management policy will define these and other areas requiring due-diligence when considering a new or reviewing an existing vendor.
NIST Risk Management Framework
One of the leading international frameworks to adopt is the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF). NIST also promotes frameworks focused on Cybersecurity and Privacy management. Together with RMF, CSF and PF provide a uniform language and interoperable methodology supporting organizational programs.
RMF follows seven steps, which we’ll dive into below to see how they apply to third party information security and data privacy management.
Before performing a risk management assessment, organizations need to properly position themselves. This includes:
- Identifying risk management roles and stakeholders
- Determining risk management tolerances
- Identifying and inventorying assets
Regarding third parties, organizations must also identify who facilitates communication and tasks for their partners throughout the risk assessment (and remediation processes). And for data privacy concerns in particular, they need to:
- Identify and inventory all personal information stored or processed by third parties
- Identify all applicable laws and regulations and understand their and their partners’ compliance obligations
- Determine that both parties’ privacy risk tolerances and mitigation strategies are aligned
The NIST RMF primarily adopts a security-focused lens, as with this second step of categorizing each potential risk by their impact value and likelihood. However, understanding the “criticality of the information being processed, stored, and transmitted” applies equally to personal data (and the data privacy risk assessment covered further below).
Similarly, organizations need to determine the privacy implications as part of “the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information.”
The RMF’s third step involves selecting the security and privacy controls necessary to manage risk effectively, which may involve additional third-party service providers (and pre-partnership risk assessments).
The NIST defines these controls as:
- Security controls – Those used to protect “the confidentiality, integrity, and availability” of systems and information
- Privacy controls – “Administrative, technical, and physical safeguards employed within an organization to protect an individual, ensure compliance with applicable privacy requirements, and manage privacy risks”
Privacy controls used to mitigate third-party risk should include capabilities like a live data map and pre-processing privacy risk assessments.
After selecting the security and privacy controls, businesses and third parties must implement, configure, and integrate them with the rest of their environments. Control implementation priorities should be set according to the categorizing completed in step two.
Once the security and privacy control implementations are operational, businesses must still evaluate them to ensure proper implementation, configuration, and ongoing performance. During this step, assessors will note any issues discovered, then create remediation suggestions and perform them.
The penultimate step of NIST’s RMF focuses on accountability, requiring senior personnel to officially state that any risk associated with systems and controls is worth the beneficial outcomes of using them.
This authorization directly aligns with data privacy compliance, as similar risk assessments may be required prior to processing activities to show their benefits versus risks depending on applicable laws and regulations. Regardless of compliance obligations, performing pre-processing assessments is a best practice for any organization (especially when involving sensitive information). And similar evaluations should be performed before entering into any third-party partnership to demonstrate that the relationship’s value outweighs its risks.
Finally, organizations must continually monitor risks to proactively and effectively mitigate them. Continuous monitoring involves keeping up with:
- Configuration management
- Additional risk assessments for newly proposed or implemented controls
- Periodic risk assessments for existing controls
- Authorizations that beneficial outcomes continue to outweigh risks
- Compliance with reporting requirements (e.g., forthcoming rules from the California Privacy Protection Agency)
The privacy and security controls implemented during step four should facilitate or provide continuous monitoring capabilities.
Why is TPRM Important?
Simply put, TPRM is important because you can’t address the risks you don’t know about or understand. And when your organization is legally obligated to keep individuals’ data secure, a lack of oversight can lead to severe consequences. For example, businesses subject to the CCPA must ensure that data collection and processing activities don’t exceed the scope originally disclosed to the consumer. Doing so without visibility is virtually impossible.
In addition to ongoing monitoring and compliance management, when businesses partner with third-party service providers and technology vendors, they’re integrating them within the rest of their IT environment and infrastructure. It’s sound business practice to ensure those partners are credible, adhere to necessary privacy and security standards, and deliver strong performance with such critical partnerships.
And via TPRM processes, businesses will thoroughly evaluate their third-party partnerships ahead of any contract-signing or implementations and throughout the relationship. So, in addition to meeting compliance and ethical obligations, TPRM also helps your business make better, more informed decisions.
TPRM and Privacy Management: Complementary Practices
As discussed above, privacy risk management is inextricably intertwined with TPRM practices. Businesses are tasked with ensuring both the privacy and the security and integrity of consumer data.
For example, a fundamental aspect of TPRM is ensuring that the necessary contractual agreements have been signed and each party understands its role and responsibilities. Per GDPR, PIPEDA, CCPA and other comprehensive privacy laws organizations must establish contracts with their third-party service providers detailing:
- The personal information disclosed by the business to the third party for limited and specified purposes
- Responsibilities and accountability for mishandling (or misprocessing) personal information according to the same standards the business is held to
- The business’s right to evaluate the third party’s technical and organizational safeguards (such as through annual audits)
- The third party’s obligation to notify the business if it can no longer meet its statutory or contractual obligations
- The business’s right to stop and remediate a third party’s noncompliant activities or privacy and security standards
But where do TPRM and privacy management intersect or complement each other most?
Third Party SaaS System Discovery
As noted in the first RMF step above, organizations first need to understand where the personal and sensitive information they collect from consumers is stored. Third-party partnerships significantly complicate these tracking efforts if the business doesn’t implement a dedicated solution (e.g., for automated system detection).
Third Party Vendor and System Inventorying
Organizations also need to know what and how much personal and sensitive information is stored in third-party environments and systems. Again, building that inventory starts with knowing the data’s location, but it should also include capabilities like searching for 10- and 16-digit numbers like social security and credit card numbers, respectively.
Personal Data Discovery and Mapping
Taking a snapshot of where, what, and how much personal information is processed or retained by third-party service providers only helps an organization once. Ongoing TPRM still requires:
- Continuous mapping – Processing and other activities conducted by third parties may move individuals’ personal information, removing visibility once again.
- Discovery capabilities – More personal information will be disclosed to third parties over the course of partnerships. Businesses must ensure that any new data disclosed to their partners is similarly tracked and monitored.
Documenting a Third Party’s Role and Processing Activities
A business should be well-versed in their third-party partners’ role and data processing activities. This helps or ensures:
- Thorough, pre-partnership vendor risk assessment and service provider evaluations
- Accurate privacy risk assessments and compliance reporting
- Third party performance monitoring
Conducting Privacy Risk Assessments (DPIA/PIA)
Businesses may be required to perform data privacy and information security risk assessments prior to processing activities. For example, both the CCPA and GDPR require them to demonstrate that processing outcomes outweigh any associated information risk.
If third parties are involved in those activities, the business’ determinations on the necessity and proportionality of processing, risks versus benefits, and risk mitigation strategies will involve TPRM.
Calibrating Potential Third-Party Privacy and Security Risks
Ensuring ongoing compliance with data privacy laws and regulations involves continuous calibration and monitoring. Per the CCPA, businesses hold the right to cease third-party processing services or stop and remediate them if noncompliant. Remediation may involve:
- Additional technical security controls
- Reconfigurations or customizations
- Additional contractual controls
- Adjusting to data privacy law updates, such as the CPRA’s amendment to the CCPA that enumerates consumers right to opt out of businesses and third parties selling or sharing their personal information
DataGrail’s Platform is Essential to Your Holistic TPRM Strategy
Regarding your business’s TPRM, security and privacy are both essential considerations to factor when assessing partners and data processing activities. There are a plethora of cybersecurity tools that can help you with risk management—like our partner Drata’s—but the more recent emergence of data privacy laws and regulations adds in new considerations that these solutions don’t necessarily account for or specialize in.
But DataGrail does. Our platform’s Live Data Map will ensure you know the storage location of all personal information collected from consumers, and its Risk Monitoring capabilities will help you perform the privacy risk assessments that become increasingly crucial to TPRM strategies and processes.
Find out more about our data privacy platform and see how it can help streamline your data privacy compliance and third-party risk management.
NIST. RMF Quick Start Guide: Prepare Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/01-Prepare%20Step/NIST%20RMF%20Prepare%20Step-FAQs.pdf
NIST. RMF Quick Start Guide: Categorize Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/02-Categorize%20Step/NIST%20RMF%20Categorize%20Step-FAQs.pdf
NIST. RMF Quick Start Guide: Select Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/03-Select%20Step/NIST%20RMF%20Select%20Step-FAQs.pdf
NIST. RMF Quick Start Guide: Implement Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/04-Implement%20Step/NIST%20RMF%20Implement%20Step-FAQs.pdf
NIST. RMF Quick Start Guide: Assess Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/05-Assess%20Step/NIST%20RMF%20Assess%20Step-FAQs.pdf
NIST. RMF Quick Start Guide: Authorize Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/06-Authorize%20Step/NIST%20RMF%20Authorize%20Step-FAQs.pdf
NIST. RMF Quick Start Guide: Monitor Step. https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/07-Monitor%20Step/NIST%20RMF%20Monitor%20Step-FAQs.pdf
California Legislative Information. 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5