Many of the participants in this roundtable had third-party security measures in place, which gave the group an excellent opportunity to discuss in which areas they succeed and in which they struggle. They discussed how to set up a program with third-party security, and one of the first steps is naturally deciding what data they will give the third-party access to. The participants had a variety of ways they section off this data, including a tiered access program. From there, each organization structures their third-party security assessments on this data access system. Many companies send out questionnaires to each of the vendors to complete, and evaluate certifications of each vendor as well. But overall, security of third parties seems tailored to each company’s relationship, data structure, and assessment methods.
The group also noted that being actively engaged with your third parties is crucial in a secure relationship. Even connecting with your third party’s own security team opens lines of communication and visibility that encourage tighter security. Being involved in all their activity and maintaining ongoing monitoring of that activity can give your team a much wider scope of their work related to your company and enables your team to monitor the relationship more directly.