The organization establishes third-party contracts to align interests, ensure location restrictions for information processing and storage, and protect systems and data. The program involves regular identification, review, and documentation of confidentiality agreements, non-disclosure agreements (NDAs), and other contracts, as well as defining personnel security requirements, roles, and responsibilities for third-party providers.

A comprehensive program for managing third-party service providers is in place, ensuring vendors meet the organization’s cybersecurity and privacy requirements. This includes conducting due diligence procedures, establishing contractual provisions, and implementing ongoing monitoring and oversight to ensure compliance with security standards and privacy policies.

The organization conducts third-party risk assessments to evaluate and manage risks associated with engaging third-party vendors or suppliers. These assessments identify and mitigate potential risks, such as data breaches, compliance violations, and business disruptions, by assessing the third party’s security posture, regulatory compliance, financial stability, and reputation.