The guide to third-party vendor reviews

In the cloud era, your company’s future is in your vendors’ hands. They run your mission critical software, including your customer relationship manager and email. They secure and store your data, process customer payments, and do dozens of other crucial tasks. Here’s how to conduct third-party reviews to ensure your vendors never let you down.

Why you need third-party vendor reviews

A major vendor misstep can be devastating. Here are just a few potential consequences:

• Catastrophic leaks.
• Major data loss.
• Significant downtime.
• Heavy compliance penalties.
• Ongoing legal battles.
• Loss of business.
• Permanent damage to your reputation.

You need to make sure your vendors are up to the task — particularly the ones providing mission-critical systems or handling sensitive data. You also need to make sure you understand your company’s obligations over any data you buy, process, or store for someone else.

Third-party vendor reviews enable you to assess the risks vendors pose, so you can pick the right partners and put the right controls in place. That helps you reduce risk, satisfy compliance requirements, and hold vendors accountable.

What is a third party?

Common third parties

The most common type of third-party party is any organization that provides you with products or services. Some of these third parties pose significant risks — usually because they process or store sensitive information, provide mission-critical services, or both.

Other third parties pose very little risk; think of vendors who sell office supplies or stock photos.

Vendor vetting helps ensure common third parties have controls in place that are proportional to the risk the data poses. That ensures high-risk services are provided by companies you can trust, while giving you the flexibility to prioritize other factors like cost for low-risk services.

How to conduct third-party vendor reviews

List your vendors

Before you can vet third-party vendors, you need to identify them. A good place to start is by listing the vendors behind your tech stack. Be sure to include:

• CRMs and other enterprise software.
• Cloud services providers.
• Email and messaging apps.
• Productivity suites.
• IT management and governance tools.
• Development tools.

Check in with stakeholders in different departments. Your marketing, sales, development, and other teams may have their own internal tools, which aren’t officially part of your tech stack.

Now, look at other service providers. Start with critical managed services, such as security monitoring, systems administration, IT maintenance, and development. Look at customer-facing vendors as well, such as customer support, sales processing, fulfillment, and marketing agencies. Even facilities maintenance vendors can pose a risk in some circumstances, so they need to be inventoried as well.

Prioritize vendors

Once you’ve completed your list, it’s time to identify high priority vendors. Some factors to consider include:

• Continuity risk: If the vendor had a major failure, would it put the future of your business at risk?
  
• Security and compliance risk: How severe are the consequences if a vendor suffers a breach or exposes your data to a malicious insider?
  
• Sensitive Information: Does the vendor handle personally identifiable information or other sensitive data?
  
• Scope: A CRM with thousands of customer records should probably be a higher priority than a marketing agency with information about a few clients.
  
• Compliance priorities: Does your business have particular compliance priorities or requirements that make a vendor more sensitive. For example, a hospital may have to vet their maintenance team more carefully than a manufacturer would, since U.S. health-information privacy law (HIPAA) requires physical controls. 
• Trust: While you should vet all your vendors, a new, untrusted vendor may be a higher priority than one you’ve been working with for years. 

Review contracts

Starting with your highest priority vendors, review your contracts. Look for compliance controls. Do you have SCCs and BCRs for GDPR compliance? Are there mechanisms in place to comply with CPRA right to know and right to delete?

Next, look at each vendor’s internal controls. Does your contract specify how your vendors should vet their internal team and subcontractors? Are they required to undergo regular audits? Are they mandated to report security events to you?

This is also a good opportunity to look at other factors that could affect business continuity, security, and liability. For example, do your mission-critical vendors have reasonable service level agreements in place to mitigate unplanned downtime? If there is a catastrophic event, how will the vendor make it right?

Provide questionnaires

You can’t watch over your vendors directly, so it’s crucial to make sure they have strong controls in place. Here are a few things you’ll want to ask about:

Data management

• How do they recognize sensitive data?
• How do they restrict access?
• Do they have a strong onboarding and offboarding program to ensure no one retains access who shouldn’t?
• Do they monitor data access?
• How do they comply with Data Subject Access Requests (DSARs) and other data requests?
• What is their data deletion policy, and how do they ensure it’s enforced?

Security controls

• What security controls do they have in place?
• Do they encrypt data everywhere?
• Do they have intrusion monitoring?
• How do they assess and update their own security posture?

Vetting and supervision

• How does your vendor vet their own employees and vendors?
• Do they have strong tech policies and education to limit risk?
• How do they supervise workers and third-parties to mitigate insider threats?
• How do they track vendor relationships and compliance?

Governance

• How does the vendor assess its own compliance and security processes?
• Do they undergo third-party audits like SOC 2 or ISO 27001?
• What processes do they use for reviewing security and access controls?
• What is their change management policy, and how do they ensure compliance?
• What about security issues? Do they have a mechanism in place for logging, reviewing, and mitigating incidents?

Implement a regular review process

Compliance laws and best practices are constantly changing, as are the organizations you do business with. It’s crucial to regularly check up on your vendors to make sure they’re keeping up.

Create a schedule for regular vendor reviews, and coordinate with the rest of your security and compliance team. Be sure to update your questionnaires and requirements, based on both your internal privacy program and changes in the regulatory environment.

How TerraTrue Helps

TerraTrue helps with every stage of the vendor vetting process. Our customized workflows enable you to send off to each vendor, so you can evaluate their answers before you onboard. Using magic links, your vendors can fill out questions without having to create a TerraTrue log-in, then send a colleague in to complete the remaining questions — all without losing saved progress. We also provide an out-of-the-box, open-source questionnaire, which can be easily customized to meet your company’s vetting needs.

TerraTrue also helps you identify vendors that may pose compliance risks, so you can prioritize the right vendors and ask the right questions. For example, if the software identifies a CPRA third party, you can verify that the vendor considers themselves a third party in the questionnaire, and ask what mechanisms they have in place to pass on data requests.

Consistent vendor vetting is mission-critical. Contact us to get it right.