Third Party Information Security Risk Management | Policy Template Download

(ORGANIZATION) utilizes third-party products and services to support our mission and goals. Third-party relationships carry inherent and residual risks that must be considered as part of our due care and diligence. The Third-Party Information Security Risk Management Policy contains the requirements for how (ORGANIZATION) will conduct our third-party information security due diligence.

Audience

This policy applies to all individuals who engage with a third-party on behalf of (ORGANIZATION).

Definitions

The following definitions apply only to aid the understanding of the reader of this policy:

• Employee – defined as a person who is a part-time or full-time hourly or salaried employee who is performing work for (ORGANIZATION) as an employee, and not an independent contractor. Sometimes referred to as a “W2 employee”.
• Third-party or 3 rd -party – any person or organization who provides a service or product to (ORGANIZATION) and is not an employee.
• Information Resources – any system involved in the creation, use, management, storage, and/or destruction of (ORGANIZATION) information and the information itself.
• Inherent information security risk – the information security risk related to the nature of the 3 rd -party relationship without accounting for any protections or controls. Inherent risk is sometimes referred to as “impact” and is used to classify third-party relationships as an indicator of what additional due diligence may be warranted.
• Residual information security risk – the information security risk remaining once all applicable protections and controls are accounted for.

Policy

The policy is organized into three sections; general, physical, and technical according to the precaution or requirement specified.

Assessments

• Every 3 rd -party granted access to (ORGANIZATION) Information Resources must sign the (ORGANIZATION) Third-Party Non-Disclosure Agreement and Business Associate Agreement (if applicable).
• All 3 rd -party relationships must be evaluated for inherent information security risk prior to any interaction with (ORGANIZATION) Information Resources.
• Criteria for inherent risk classifications must be established; “High”, “Medium”, and “Low”.
• All 3 rd -party relationships must be re-evaluated for inherent information security risk bi-annually and any time there is a material change in how (ORGANIZATION) utilizes the third-party product or service.
• 3 rd -party relationships with significant inherent risk (classified as “High” or “Medium”) must be evaluated for residual risk using questionnaires, publicly available information, and/or technical tools.
• Residual information security risk assessments must account for administrative, physical, and technical controls.
• Residual information security risk thresholds must be established for 3 rd -party relationships with significant inherent risk (classified as “High” or “Medium”).
• 3 rd -party relationships that do not meet established residual information security risk thresholds:
  • Must be terminated,
  • Must be formally approved by executive management following an established waiver process, and/or;
  • Changed in a manner that reduces inherent and/or residual information security risk to meet (ORGANIZATION) established thresholds.

  Management

  • 3 rd -party agreements and contracts must specify:
    • The (ORGANIZATION) information the vendor should have access to,
    • How (ORGANIZATION) information is to be protected by the 3 rd -party,
    • How (ORGANIZATION) information is to be transferred between (ORGANIZATION) and the 3 rd -party,
    • Acceptable methods for the return, destruction or disposal of (ORGANIZATION) information in the 3 rd -party’s possession at the end of the relationship/contract,
    • Minimum information security requirements,
    • Information security incident response and notification requirements,
    • Right for (ORGANIZATION) to audit 3 rd -party information security protections and controls.
    • Made available to (ORGANIZATION) IT management upon request, and
    • Must include events such as personnel changes, password changes, project milestones, deliverables, and arrival and departure times.

    Waivers

    Waivers from certain and specific policy provisions may be sought following the (ORGANIZATION) Waiver Process. There are no exceptions to any provisions noted in this policy until and unless a waiver has been granted.

    Enforcement

    This Third-Party Information Security Risk Management Policy supplements and compliments all other related information security policies, it does not supersede any such policy or vice versa. Where there are any perceived or unintended conflicts between (ORGANIZATION) policies, they must be brought to the attention of (ORGANIZATION) for immediate reconciliation.

    Personnel found to have violated any provision of this policy may be subject to sanctions up to and including removal of access rights, termination of employment, termination of contract(s), and/or related civil or criminal penalties.

    Thanks! Your download is ready.