Partner risk management

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

• the data used by the supplier (and possible data classification) and staff receiving access to data
• rules on the acceptable use of data
• confidentiality requirements for data processing staff
• parties responsibilities in meeting regulatory requirements
• parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
• reporting and correcting incidents
• requirements for the use of subcontractors
• allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
• a commitment to return or destroy data at the end of the contract
• the supplier's responsibility to comply with organization's security guidelines

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.

Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

• monitoring the promised service level
• reviewing supplier reports and arranging follow-up meetings
• regular organization of independent audits
• follow-up of problems identified in audits
• more detailed investigation of security incidents and review of related documentation
• review of the supplier's future plans (related to maintaining the service level)

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

The organization must obtain confidentiality commitments:

• from vendors
• business partners

Furthermore, privacy commitments must be obtained:

• in addition to obtaining commitments from sellers
• business partners

the organization must assess:

• compliance with data protection commitments of sellers and business partners
• compliance with confidentiality obligations of sellers and business partners

The organization must take into account the risks caused by partners when managing information security risks. If necessary, separate theme-specific risk assessments can be made for critical partners.

The responsible person monitors significant changes in the supplier's operations that may affect the supplier relationship and service level, and thus require other measures. The following aspects are taken into account:

• direct changes to supplier agreements
• service content improvements, new technologies or the development of new services
• significant changes in operating methods (either related to cyber security or other activities)
• changes in the physical location of the data
• changes in the supply chain / subcontracting process