Many organizations rely on vendors to perform all kinds of services, which can help reduce overall costs and administrative burdens. But when you no longer control all of your data or when you provide third parties access to your systems, it inevitably increases your exposure to data privacy and security risks. You need to ensure that your vendors have the appropriate security and privacy protections in place, so that when you entrust your data to them, you and they continue to meet your legal and regulatory obligations to keep that data secure.
This module provides resources to assist in conducting due diligence on your vendors, negotiating and contracting with them, and managing risk in ongoing vendor relationships. In Module Two, you assessed the different types of data your organization possesses and classified the data according to its sensitivity and the obligations you have to protect it. That work will help you as you develop your general criteria for assessing vendors, based on size, reputation, and other factors, as well as your criteria specific to the data types you hold. The Vendor Security Alliance questionnaires may provide a useful range of questions to think about as you determine your criteria. The Contract Negotiation Guide provides guidance on how you can incorporate the protections you've determined you need into your vendor agreements.
The Vendor Security Alliance also provides two useful vendor questionnaires for download.
If you'd like to retain legal counsel to assist in developing your data privacy and security program, contact us for an introduction to one of our panel counsel firms.
