Ensure third-party partners are aligned with your organization’s risk controls. Vendors and contractors serve as an extension of your business. They represent you and should operate under your business requirements.
All Covered Entities, which include all licensees regulated by the DFS, must have written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information accessible to or held by Third Party Service Providers (TPSPs).
The policies and procedures must include relevant guidelines for due diligence and/or contractual protections relating to TPSPs.
Regulatory requirements such as HIPAA, GLBA, ISO 27001, NIST 800-53, and numerous other standards require a risk-based third-party management program to protect the data shared with service providers and vendors.
Protect your customers, incorporate appropriate security standards as part of your contracts and assess your future partners’ abiity to keep information secure. HALOCK can help build and manage a specific program for your environment.
VENDOR SECURITY ASSESSMENTS
HALOCK can integrate with your team to help assess your vendor’s control environment for compliance with privacy and security requirements, reporting assessment results and presenting recommendation for high-risk services to remediate potential exposure of data and security breaches.
HALOCK has Strong Knowledge of:
Regulatory standards that govern Information Security practices such as HIPAA, PCI, GLBA, and state and federal privacy laws.
Information Security Risk assessment and analysis methodologies (FFIEC, NIST, etc.).
Information security standards (ISO 27000 series, NIST, etc.).
Familiarity with Supplier Management GRC systems Pool of Qualified Security Assessors Ability to develop executive reports and deliver presentation to executives
THIRD PARTY PROGRAM ASSESSMENTS
HALOCK maps the current vendor management processes to industry standards and proven risk management frameworks. Though HALOCK evaluates the program to the highest maturity model the goal of the assessment is to develop a portfolio of reasonable recommendations, and controls, to align heightened standards with the organization mission and compliances requirements. Working with risk management stakeholders the assessment focuses on:
Roles and responsibilities within the risk management program
Workflow reviews of vendor onboarding, oversight and termination.
Organizations approach to assigning the inherent risk of third-party relations
Vendor risk tiers definitions
Vendor assessment process
Current policies and framework
DELIVERABLES & ARTIFACTS
CONTRACTUAL SECURITY LANGUAGE PROGRAM FLOW CHARTS INHERENT RISK CRITERIA VENDOR RISK ANALYST CRITERIA PRE-ASSESSMENT SCOPING WORKSHEETS VENDOR ASSESSMENT PLANNING SECURITY QUESTIONNIARES DOCUMENT REQUEST LIST