供应商是当今商业环境中的一个常见元素. Outsourcing services 和 processes to vendors provides flexibility, convenience 和 cost savings. 然而,这些外包安排并非没有增加的风险. Data breaches stemming from third parties have been increasing year over year. 当身份被盗或敏感信息被公开时, 你的客户不会在意这是供应商的错. 监管机构和审查机构也注意到了这一点, 和 it can be seen in recent legislation 和 guidance related to managing third parties. According to the Federal Deposit 和 Insurance Corporation’s (FDIC) Guidance For Managing Third-Party Risk, “An institution's board of directors 和 senior management are ultimately responsible for managing activities conducted through third-party relationships, 识别和控制这些关系产生的风险, 与该活动在机构内处理的程度相同.“虽然bet9平台游戏可以外包,但风险却不能.
Why is this important? Many organizations continue to outsource critical activities 和 fail to recognize the risks that arise from those relationships. 无论是外包某些信息技术业务, 敏感数据处理和存储, or simple marketing, legal or HR services, sensitive/proprietary information is often shared with third parties without first assessing the security controls within that organization. 为此目的, third-party risk management is critical when it comes to managing risk across the enterprise. 对由第三方执行的活动作出保证, 组织应该实施健全的第三方风险管理实践.
说到指导,有很多很好的选择. There are many compliance-based guides that may be applicable based on the industry you are in. 例如, 和我们在银行业的客户, 我想到了之前提到的联邦存款保险公司的指导方针. 在施耐德唐斯,我们是共享评估计划的成员公司, which provides widely adopted vendor risk management tools 和 resources for enterprise organizations to evaluate 和 measure vendor risk. These tools are industry agnostic 和 provide third-party risk management best practices regardless of the industry you may be in.
No matter what framework or guidance you plan to adopt, some of the key recommendations remain.
尽职调查和第三方选择 - Conduct reviews of third parties prior to signing contracts, 和 annually thereafter. To assist with this review, 获取和审查独立报告, such as SOC 1 和 SOC 2 reports, 确保第三方遵守行业标准. In absence of these reports, use an industry-adopted best practice such as the St和ard Information Gathering (SIG) questionnaire.
Contract negotiation - Develop contracts with third parties that clearly outline the responsibilities of each party. 合同应定期审查, as part of the contract, 确保他们解决当前的第三方风险. 合同还应包括“审计权”条款.
Ongoing monitoring - Perform IT 和 operational assessments of third parties’ internal controls on a regular basis to ensure that third parties have appropriate controls in place for protecting sensitive/proprietary information. Continuous review is necessary to underst和 the most current level of risk for each vendor.
终止 - Develop contingency plans for transferring activities to another third-party, bringing the activity in-house, 或者完全消除活动(和相关数据).
除了上述活动之外, organizations should assign responsibilities for third-party management to appropriate members of the organization with sufficient knowledge of the enterprise risk management process 和 nature of third-party relationships. St和ardized documentation 和 reporting procedures should be implemented to ensure that third-party management activities are appropriately being performed 和 reported on. 最后, organizations should perform independent reviews of their third-party management programs to ensure that third-party risk management activities are appropriately aligned with their enterprise-wide risk program, that they meet industry recommended best practices 和 that they effectively manage the risk posed by third parties.
The Schneider Downs 我们对 blog exists to create a dialogue on issues that are important to organizations 和 individuals. 虽然我们喜欢分享我们的想法和见解, 我们对你要说的特别感兴趣. If you have a question or a comment about this article – or any article from the 我们对 blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, 和 we’d like to hear from you. 电邮至 [email protected].
所讨论的材料仅供参考, 而且这不能被理解为投资, 税, 或法律建议. 请注意,个别情况可能有所不同. 因此, this information should be relied upon when coordinated with individual professional advice.