Third Party Vendor Risk: Regulatory Drivers

In the following table are some of the major regulatory and/or security frameworks that specifically require vendor risk management or third party vendor assessments.  Typically these controls fall into three categories:   (1) Proactive Risk Assessment, (2) Contracts and (3) Monitoring.

Regulation/Framework   Industry/Country       Control Requirement
Payment Card Industry Data Security Standard


Financial / Credit Card Processing Requirement 12.4.1  Additional requirement for service providers only:


Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.

ISO/IEC 27001:2013


15.1 Information security in supplier relationships

Security Framework The organization should identify and mandate information security controls to specifically address supplier access to the organization’s information in a policy.
HIPAA (Health Insurance Portability and Accountability Act) – with HiTECH

Security Final Rule


Healthcare (U.S.) HIPAA: Business Associate Contracts and Other Arrangement 164.308(b)(1)  ** HiTECH makes Business Associates responsible for HIPAA security and privacy.
US Cyber Security Framework (CSF)

Detect (DE)

US – All Sectors

Critical Infrastructure

DE.CM-6: External service providers are monitored


Gramm-Leach-Bliley Act (GLBA) Title V

FFIEC Security Handbook

SP – Service Provider Oversight

US – Financial Services FFIEC Guidebook: Financial institutions should exercise their security responsibilities for outsourced operations through [] Appropriate due diligence in service provider research and selection.
Final Federal Acquisition Regulation (DFAR): Basic Safeguarding of Covered Contractor Information Systems

The Cybersecurity Act of 2015

Federal Government (U.S.) Federal Acquisition Regulation (FAR) “for the basic safeguarding of contractor information systems that process, store, or transmit Federal  contract information.”