THRD-01

Do you perform security assessments of third-party companies with which you share data (e.g., hosting providers, cloud services, PaaS, IaaS, SaaS)?

Explanation

This question is asking whether your organization conducts security assessments of third-party vendors that have access to your data. These third parties could include cloud hosting providers (like AWS or Azure), software-as-a-service providers (like Salesforce or Workday), or any other external entity that processes, stores, or transmits your data. Why this matters: When you share data with third parties, your security is only as strong as the weakest link in your supply chain. A security breach at a third-party vendor could compromise your data even if your own security controls are robust. This is known as supply chain risk. The question is being asked to determine if you have a vendor risk management program that includes security due diligence before sharing data with external parties, and ongoing monitoring of those vendors' security postures. This helps assessors understand if you're taking appropriate steps to protect data throughout its lifecycle, even when it leaves your direct control. A good answer should include: 1. Whether you perform security assessments of third parties 2. What your assessment process looks like (questionnaires, documentation review, penetration testing, etc.) 3. How often you conduct these assessments (initially and recurring) 4. How you categorize vendors based on risk 5. What standards or frameworks you use to assess vendors (e.g., SOC 2, ISO 27001, NIST CSF)

Example Responses

Example Response 1

Yes, we maintain a formal third-party risk management program that includes security assessments of all vendors who access, process, or store our data Our process begins with a risk categorization of each vendor based on the type of data they handle and their role in our operations High-risk vendors complete our comprehensive security questionnaire (based on NIST CSF and ISO 27001) and must provide recent audit reports (SOC 2 Type II, ISO 27001, etc.) For critical vendors, we conduct annual reassessments and require notification of security incidents We also perform periodic validation testing for our highest-risk vendors, including review of vulnerability scan results All vendor relationships are governed by contracts with security requirements appropriate to their risk level.

Example Response 2

Yes, our organization conducts security assessments of all third-party providers with whom we share data We use a tiered approach based on data sensitivity and vendor criticality For Tier 1 vendors (those handling sensitive data or providing critical services), we require completion of a detailed security questionnaire, review of their SOC 2 Type II reports, and conduct annual reassessments For Tier 2 vendors, we review their security documentation and certifications For Tier 3 vendors (minimal risk), we require acceptance of our security requirements via contract We maintain a vendor management database that tracks assessment dates, findings, remediation plans, and contractual security obligations Our legal team ensures appropriate data protection addenda are included in all contracts.

Example Response 3

No, we currently do not perform formal security assessments of our third-party vendors We rely on contractual obligations and industry reputation when selecting vendors While we do include security and data protection clauses in our contracts, we don't have a structured program to verify compliance or assess security controls before sharing data We recognize this is a gap in our security program, and we're developing a vendor risk management process that we plan to implement in the next quarter Our initial focus will be on assessing our current cloud service providers and SaaS applications that process sensitive data, followed by implementing a standardized assessment process for all new vendors.

Context

Tab: Organization
Category: Assessment of Third Parties