TrustArc Webinar - How to Build a Vendor Risk Management Program
TrustArc
396 views
12 slides
Aug 13, 2024
Slide 1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
About This Presentation
Developing a robust vendor risk management program is critical for safeguarding your organization against potential threats arising from third-party relationships. In an era where businesses increasingly rely on external vendors to deliver essential services, understanding and managing the associate...
Slide Content
© 2024 TrustArc Inc. Proprietary and Confidential Information.
How to Build a Vendor Risk
Management Program
How to Build a Vendor Risk
Management Program
2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.
3
Speakers
Cathleen Doyel
Deputy General Counsel
TrustArc
Whitney Schneider-White
Associate
BakerHostetler
Speakers
Cathleen Doyel
Deputy General Counsel
TrustArc
Whitney Schneider-White
Associate
BakerHostetler
Why Implement a
Vendor Risk
Management
Program?
●Data flow management
●Data breach risk mitigation
●Regulator oversight
●Privacy compliance
Vendor Risk
Management
Program?
●Data flow management
●Data breach risk mitigation
●Regulator oversight
●Privacy compliance
Vendor
Management
Program
●A strategic process for selecting, managing, and
evaluating suppliers that provide goods and
services to an organization.
●Can help to optimize the following across the
supply chain:
○Costs
○Quality
○Performance
○Risk
Management
Program
●A strategic process for selecting, managing, and
evaluating suppliers that provide goods and
services to an organization.
●Can help to optimize the following across the
supply chain:
○Costs
○Quality
○Performance
○Risk
6
Step 1: Assess Needs
●Chance to look inward into your organization and think about what you need
●Some questions:
○What does your organization need from its suppliers?
○What is available in the marketplace?
■Leverage a tool you already have?
■Need for a new vendor?
○What is your budget?
○Department specific? Cross functional?
○Timeline?
○Risk tolerance?
Step 1: Assess Needs
●Chance to look inward into your organization and think about what you need
●Some questions:
○What does your organization need from its suppliers?
○What is available in the marketplace?
■Leverage a tool you already have?
■Need for a new vendor?
○What is your budget?
○Department specific? Cross functional?
○Timeline?
○Risk tolerance?
7
Step 2: Vendor Selection
●Request for Proposal (RFP)
○Used by organizations to gather information about vendors, prioritize them, and
classify them.
○Ensure that vendors are qualified, have a good relationship with your organization,
and will stay around for a reasonable period of time.
●Due Diligence
○Consider why the vendor is needed (e.g.,
can an existing vendor provide the
needed services)
○Understand what information the vendor
will access and process
○Evaluate security and safeguarding
procedures the vendor has in place and
the vendor’s ability to comply with legal
requirements
Step 2: Vendor Selection
●Request for Proposal (RFP)
○Used by organizations to gather information about vendors, prioritize them, and
classify them.
○Ensure that vendors are qualified, have a good relationship with your organization,
and will stay around for a reasonable period of time.
●Due Diligence
○Consider why the vendor is needed (e.g.,
can an existing vendor provide the
needed services)
○Understand what information the vendor
will access and process
○Evaluate security and safeguarding
procedures the vendor has in place and
the vendor’s ability to comply with legal
requirements
8
Step 3: Contract Negotiation
●Design and negotiate contracts that are detailed enough to define the rights and
responsibilities of both parties and resolve any issues that may arise during the
contract’s life.
○Services Agreement (MSA, SSA, etc.)
○DPA?
■Controller or processor
■Applicable laws
○Security Addendum?
○BAA?
●Your paper vs. vendor’s paper?
●Artificial intelligence considerations
Step 3: Contract Negotiation
●Design and negotiate contracts that are detailed enough to define the rights and
responsibilities of both parties and resolve any issues that may arise during the
contract’s life.
○Services Agreement (MSA, SSA, etc.)
○DPA?
■Controller or processor
■Applicable laws
○Security Addendum?
○BAA?
●Your paper vs. vendor’s paper?
●Artificial intelligence considerations
9
Step 4: Ongoing Evaluation and Performance Management
●Annual Assessment
○Best practice: Use a vendor scorecard to evaluate performance.
■Can help determine if a vendor is meeting your standards
○Tools include audits, controls testing, and review of vendor’s compliance reports
●Regular Communication
○Best practice: Schedule meetings at
regular intervals to discuss performance
with vendors during the course of the
engagement rather than waiting to discuss
performance issues at renewal
○Consistently communicate your
requirements, goals, and expectation to
vendor’s to create and maintain a positive
and productive relationship
●Risk-based management
○Types of data are being processed
○Connections to systems
○Length of contract
Step 4: Ongoing Evaluation and Performance Management
●Annual Assessment
○Best practice: Use a vendor scorecard to evaluate performance.
■Can help determine if a vendor is meeting your standards
○Tools include audits, controls testing, and review of vendor’s compliance reports
●Regular Communication
○Best practice: Schedule meetings at
regular intervals to discuss performance
with vendors during the course of the
engagement rather than waiting to discuss
performance issues at renewal
○Consistently communicate your
requirements, goals, and expectation to
vendor’s to create and maintain a positive
and productive relationship
●Risk-based management
○Types of data are being processed
○Connections to systems
○Length of contract
10
Step 5: Vendor Termination
●Develop a defined termination process that takes into account the transition of services
to a new vendor and disposal of information by the terminated vendor
●Establish data retention and destruction processes
●Revoke access rights, information system connections, and other controls
Step 5: Vendor Termination
●Develop a defined termination process that takes into account the transition of services
to a new vendor and disposal of information by the terminated vendor
●Establish data retention and destruction processes
●Revoke access rights, information system connections, and other controls
Management of
Existing
Vendors
●Review existing vendor engagements to
understand:
○What relationships are in place
○The services provided
○The types of information that vendors process
○How information is transferred (e.g., APIs)
●Incorporate existing vendors into management
program
●Review contracts and update as needed
Existing
Vendors
●Review existing vendor engagements to
understand:
○What relationships are in place
○The services provided
○The types of information that vendors process
○How information is transferred (e.g., APIs)
●Incorporate existing vendors into management
program
●Review contracts and update as needed
12
Thank You!
Thank You!
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 396
- Slides 12
- Age 476 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views