Third Party Vendor Risk: Regulatory Drivers
In the following table are some of the major regulatory and/or security frameworks that specifically require vendor risk management or third party vendor assessments. Typically these controls fall into three categories: (1) Proactive Risk Assessment, (2) Contracts and (3) Monitoring.
Regulation/Framework | Industry/Country | Control Requirement |
Payment Card Industry Data Security Standard | Financial / Credit Card Processing | Requirement 12.4.1 Additional requirement for service providers only:
Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program. |
ISO/IEC 27001:2013
15.1 Information security in supplier relationships |
Security Framework | The organization should identify and mandate information security controls to specifically address supplier access to the organization’s information in a policy. |
HIPAA (Health Insurance Portability and Accountability Act) – with HiTECH
Security Final Rule
|
Healthcare (U.S.) | HIPAA: Business Associate Contracts and Other Arrangement 164.308(b)(1) ** HiTECH makes Business Associates responsible for HIPAA security and privacy. |
US Cyber Security Framework (CSF)
Detect (DE) |
US – All Sectors
Critical Infrastructure |
DE.CM-6: External service providers are monitored
|
Gramm-Leach-Bliley Act (GLBA) Title V
FFIEC Security Handbook SP – Service Provider Oversight |
US – Financial Services | FFIEC Guidebook: Financial institutions should exercise their security responsibilities for outsourced operations through [] Appropriate due diligence in service provider research and selection. |
Final Federal Acquisition Regulation (DFAR): Basic Safeguarding of Covered Contractor Information Systems
The Cybersecurity Act of 2015 |
Federal Government (U.S.) | Federal Acquisition Regulation (FAR) “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.” |