• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • About
    • Secure360
    • UMSA
    • Get Involved
  • Events
    • Secure360 2021
    • Student360
    • Past Events
      • 2020 Secure360 Twin Cities
      • 2020 Student360
      • 2019 Secure360 Twin Cities
      • 2019 Student360
      • 2018 Secure360 Twin Cities
      • 2018 Secure360 Wisconsin
      • 2018 Student360
      • 2017 Secure360 Twin Cities
      • 2017 Student360
      • 2016 TC Secure360 Conference
      • 2015 Secure360 Conference
      • 2014 Secure360 Conference
      • 2013 Secure360 Conference
        • 2013 Secure360 Conference Speaker Presentations
      • 2012 Secure360 Conference
  • For Sponsors
    • Secure360 Twin Cities
    • Student360 Sponsors
  • For Speakers
    • Secure360 Speaker Details
    • Student360 Speaker Details
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

3 steps to ensure vendor privacy practice compliance

April 3, 2013 by Ben Tomhave

PrivacyComplianceManaging third parties can be a challenge; especially when it comes to privacy practices. How stringent your organization’s privacy practices must be will vary by industry vertical, but it is not a far stretch to assume that no company wants to be known to mishandle customer data. How, then, can you ensure that your vendors are meeting your expectations for the safe handling of data in conformance with your approved privacy practices?

Step 1: Communicate

Requirements for privacy practices must be clearly communicated. If possible, include these requirements in the contract to ensure a higher likelihood of conformance. If the vendor won’t agree to additional contractual terms, then offer another method of communication, such as a memorandum of understanding, or at least a formal memo with a read receipt or acknowledgement. Your organization’s reputation is on the line, and thus your organization needs to take reasonable measures to protect itself against reputational harm from inadequate privacy protections. It is not unreasonable to formally communicate these expectations to your vendors, and doing so is imperative for enforcement.

Step 2: Audit

You have clearly communicated the expected level of performance. Maybe you were able to bake the terms into the contract, or maybe it has just been stated. In either case, it is then important to follow-up and ensure that those practices align to your expectations. Auditing policies and practices helps your vendor know that you take these terms seriously. Doing so also provides a mechanism for detecting a failure to comply. In most cases, issuing assessment questionnaires to the vendor on a regular basis will be sufficient, though spot-checking beyond questionnaires and policies is also important toward demonstrating that they do what they claim.

Step 3: Enforce

Is your vendor failing to meet expectations? Hold them accountable. If the requirements were included as terms in the contract, then there is potentially cause for pursuing breach of contract. If the requirements were simply communicated, but they were not contractually agreed to, then it may be time to shop for a new vendor. Or, maybe your organization will decide that the vendor’s services are more important than the requirements, at which point the privacy practice should be revised to better reflect the priorities of the business. In all cases, however, it is imperative to be consistent and clear with enforcement and accountability. The entire program should be executed in alignment with the enterprise risk management program to ensure that all risk factors are properly accounted for, and to make sure that decisions and requirements properly conform to the needs and priorities of the business.

Filed Under: Guest Posts, Business Continuity Management

About Ben Tomhave

Ben Tomhave, MS, CISSP, helps global enterprises, SMBs and service partners unlock the real promise of integrated governance, risk and compliance in his current role as Principal Consultant for LockPath, a market-changing GRC software company. A distinguished author and experienced speaker, he currently serves on the board of the Society of Information Risk Analysts board and as co-chair of the ABA InfoSec Committee. He is also a member of ISSA and the IEEE Computer Society, and earned a MS in Engineering Management from The George Washington University with an InfoSec Management concentration.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. Secure360 Conference
    Secure360 Conference: Exciting news for a #Monday! We've officially welcomed @pingidentity as a 2021 #Platinum #sponsor for #Sec360 🤩 Lea… https://t.co/ddZ4MvCkk1
    about 1 day ago

  2. Secure360 Conference
    Secure360 Conference: Spots are filling fast & you don't want to miss these benefits! Register as a #Secure360 sponsor to show off the la… https://t.co/aqNcbZ25Ek
    about 4 days ago

  3. Secure360 Conference
    Secure360 Conference: Really interesting read from our Diamond #sponsor, @Cisco! Learn how to build #resiliency through a year of change https://t.co/GTWe6a0W3A
    about 4 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2021 Secure360. All rights reserved.