WorkAxle Trust Center

Below is a list of all related controls for this domain. A status of green means compliant, yellow means partially compliant, and red means non-compliant.

A comprehensive third-party management methodology is followed to oversee external parties with access to systems, applications, or data

A documented methodology guides the oversight of third parties with access to systems, applications, or data. It supports security, privacy, and compliance through structured processes for access control, contracting, due diligence, monitoring, procurement, and communication.

Implementation may include:

Restricting access to authorized users with safeguards like multi-factor authentication and privileged access controls
Establishing contracts that reflect security and privacy requirements, including handling of standard or negotiated terms
Performing risk assessments and due diligence before onboarding and throughout the relationship
Verifying software and data integrity from third-party sources and maintaining an approved vendor list
Keeping a current inventory of all third-party relationships
Maintaining clear communication channels with suppliers and key partners

Procedures are established to securely manage third-party remote access, ensuring that external suppliers, partners, or contractors can connect to the organization’s systems and networks as needed for collaboration, support, or service delivery

The process encompasses granting, monitoring, and disabling remote access to safeguard the organization's critical assets and prevent unauthorized activities.

Key components include:

Access Granting Procedures: Define strict guidelines for granting remote access, ensuring it is limited to authorized individuals and necessary systems. Use secure methods such as multi-factor authentication (MFA) and role-based access controls (RBAC) to restrict access to only the resources required for the third party’s role or task.
Continuous Monitoring: Implement real-time monitoring of third-party remote access to detect any unauthorized activities or unusual behavior. Log and audit remote access sessions to ensure accountability and allow for detailed review in case of security incidents.
Access Disabling: Establish clear processes for disabling remote access when it is no longer required, such as after contract termination, project completion, or personnel changes at the third-party organization. Automated revocation procedures can be used to ensure timely deactivation of credentials.

These procedures ensure secure, controlled remote access to protect organizational assets while maintaining flexibility in working with third parties.

Third-party risk assessments are conducted to evaluate and manage potential risks before and during the engagement of suppliers, or other external partners

These assessments are designed to identify vulnerabilities such as data breaches, compliance violations, and operational disruptions by reviewing the third party’s security posture, regulatory compliance, financial stability, and overall reputation.

Key elements of the assessment process include:

Security Evaluation: Assess the third party’s security controls, such as their use of encryption, access controls, and incident response capabilities, to ensure that they align with the organization’s security requirements.
Regulatory Compliance: Review the third party’s adherence to relevant industry regulations and legal obligations, such as data protection laws (e.g., GDPR, CCPA) and sector-specific compliance requirements.
Financial Stability: Evaluate the third party’s financial health to ensure that they are financially stable and capable of delivering their services without disruption.
Reputation and History: Consider the third party’s reputation, including their history of past security incidents, public breaches, or legal disputes, to gauge their reliability and trustworthiness.
Risk Mitigation Plans: Based on the findings, develop and implement risk mitigation strategies such as contractual provisions, insurance requirements, or enhanced security measures to address identified risks.

These assessments are conducted both before onboarding a third-party supplier and periodically throughout the engagement to ensure ongoing compliance and risk management. By identifying and addressing potential risks early, the organization minimizes the likelihood of business disruptions or data breaches caused by third-party relationships.