• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

How to Get Legal, Procurement, and Business Units Onboard with Security

Published by Sabrina Pagnotta on November 15, 2021
Categories
  • TPRM Best Practices
Tags
  • TPRM Best Practices
vendor onboarding

Legal, Procurement and business owners are often focused on their own objectives during the vendor onboarding and might not realize the necessity of having security in the room. With new, easy to sign up for and install tools, employees may engage a third-party without involving security teams at all or until the very end of the process. However, performing security assessments before contracting a new third-party is key to minimizing risk down the road.

Here are a few tips on how to get them aware and onboard with a security assessment.

What’s the role of security in the vendor onboarding and selection process? 

The security team has the technical expertise to detect potential security threats around a new relationship. They need to have a good understanding of what systems, what level of access and data the vendor or third-party will have access to. They also need to ensure the third-party has the right precautions in place, such as system configurations or policies to ensure your data or your customers’ data is being handled properly.

According to new regulation, data mapping has become a major control in which companies need to ensure they understand where data resides and who it’s being shared with. Their expertise decides if there is enough confidence to engage in a relationship.

Therefore, it’s important that security gets ahead of any contract signing to make sure the third-party is taking the necessary steps to ensure data is secure. Areas like encryption, database configuration, patching cadences are for the experts to ensure are in place.

What happens if security is not involved upfront?

If the business owner or someone else from the company signs a contract before the security team has performed their review, they’re putting the company at risk. 

They would be moving forward with a third-party who is going to have access to sensitive data without the necessary checks. If that third-party is breached and the sensitive data is leaked and it was something the Security team could have caught, that’s a huge risk for the company.

A Joint Vendor Onboarding Process

When legal, procurement and business owners join efforts and work together with security from the beginning, the process looks something like this:

Vendor Onboarding

New Third-Party On-boarding Process 

Stakeholders: Information Security, Legal, Procurement, Business Owner. 

  1. Business owner needs to buy a new tool and they source a few options
  2. Business owner receives third-party contract and brings it to Legal, Security and Procurement.
  3. Legal reviews contracting language, Security performs assessment, and Procurement assesses the business health.
  4. Security identifies potential issues and approves, conditionally approves or denies the third-party. Procurement suggests better terms for the contract. 
  5. Legal adds necessary language to the contract based on Security and Procurement assessments.
  6. Negotiation happens between business and third-party. 
  7. Contract gets signed. 

How to communicate the value of Security to each group?

Legal

Legal’s role in TPRM is to write language into the contract to make sure standards and controls are upheld through the life of the third-party relationship. This includes right to audit, compliance, business continuity, remediation and other contractual agreements that will protect the organization and prevent cyber, legal, financial and reputation risk.

Involving Legal is beneficial because they strive for greater efficiency, a line of sight into risks, and strong data control practices.

Tip: You should communicate to Legal that an inherent risk model will be used to assess the risk of the relationship, in order to provide a risk level that will the appropriate level of assurance. Resources will then be efficiently allocated to apply the appropriate level of scrutiny.

Procurement

Procurement focuses on getting key resources for the organization according to the business goals, and improving their quality and the terms around it. If the Business Owner is interested in a new TPRM tool, Procurement will help them get the best tool available according to the business-specific requirements.

Tip: Communicate to Procurement that the potential new TPRM tool will be a key resource to meet the business goals around cybersecurity and compliance.

Business Owner

The business owner is the one that detected a need within their team and wants to purchase a new tool to help with it. It’s in their best interest to ensure that product has the best security given the risk of the data being handled. If there’s an attempt to exfiltrate data from the third-party, the business owner wants to be assured they’ve taken the necessary precautions to protect their data.

Tip: Communicate to the business owner that the operational success of the new tool could be jeopardized, if it brings a new risk to the organization. All the more reason why they should include Security upfront in order to assess the new third-party.

 


To learn how our ThirdPartyTrust platform can help improve your TPRM strategy and vendor onboarding, request a demo now:

Request Demo
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT