| |JANUARY 20259CIOReviewPerform comprehensive vetting and continuous monitoring of high-risk providers.Third-party arrangements involving large amounts of sensitive data should be considered high risk and, therefore, be subject to a high level of review and scrutiny regarding their information security practices, both prior to contract signature and post-contract signature through regular review and monitoring. Require your third parties to provide independent audit reports such as SOC, SIG, or certifications such as ISO or PCI-DSS. Proof of regulator vulnerability scanning and penetration testing can also provide assurance that your third parties are maintaining a high level of security. On-going security monitoring of your third party's web presence through tools and services, such as BitSightTM, SecurityScoreCardTM, RiskReconTM, and others, are highly useful in assessing your third party's security posture.Consider reducing the attack surface by limiting the data types, volume, and retention of sensitive data.When entering into third-party or cloud provider arrangements, consider the principle of Least Privilege when it comes to data sharing. Share only the minimum amounts or types of data the third party requires. Consider whether such highly sensitive data elements as social security number, name, address, date of birth, etc., are actually required or whether these fields can be tokenized with unique values that still enable the functionality of the service but reduce or eliminate the threat of identity theft if exposed in a data breach. If highly sensitive data must be shared, use encryption in transit and at rest, and enforce retention policies that purge data as soon as the third party no longer needs it. Monitor file transfers and application programming interfaces (APIs) where data sharing occurs to ensure that only the expected and approved data types and volume of data are shared.Hold third-party cloud providers accountable through contractual obligations.Contracts, terms and conditions, master service agreements, etc., are written by the third party and presented to you for your review and signature before services begin. When such arrangements involve the sharing of sensitive data, a detailed review from your legal team can help identify potential issues with data security and privacy. If issues of service performance or data breach occur during the term of the agreement, the parties (and the courts if disputes arise) will look to the terms and conditions of all signed agreements to determine each party's obligations. A fair and equitable agreement should protect both parties equally and never allow one party or the other to avoid responsibility for breaches of data security and privacy. An essential element of any third-party or cloud provider arrangement is an incident response clause that identifies the third party's obligations in responding to cybersecurity incidents. Such clauses should include a timeframe for notification of the affected party, as well as the general steps the third party will take to investigate and mitigate cybersecurity incidents.Third-party and cloud provider arrangements enable many benefits. However, organizations need to be fully aware of the risks they can pose, particularly regarding data security and privacy. These issues can be further complicated when considering "fourth party" arrangements--arrangements between your third party and one or more of its own third parties. Being fully aware and properly managing third-party risk can help avoid or reduce the impact of data breaches involving your cloud service providers. An essential element of any third-party or cloud provider arrangement is an incident response clause that identifies the third party's obligations in responding to cybersecurity incidents
< Page 8 | Page 10 >