Set your very own professionally stringent qualification criteria well in advance for the third and fourth parties through pre-onboarding.

Guarding you right at the doorstep

When it comes to Third Party Risk Management (TPRM), evaluating your risk right at the entry-level becomes crucial, understanding the inherent risk at the get-go enables leaders to consciously take risk-informed decisions thus reducing inherent risk. Selecting Third Parties with sub-optimal security standards increases the time and effort to perform Due Diligence. Defentrix is your one-point source for complete TPRM solution which covers Third Party pre-onboarding activities professionally covering stringent processes and customized qualification criteria. As per your need, we tailor pre-onboarding services whether it’s a complete or standalone solution.

Quick evaluation of shortlisted Third Parties against your security standard as part of pre-onboarding criteria

Analyze Inherent Risk to evaluate and gauge their security governance standards and determine risks that Third Party brings to your organization.

Classify in respective Tiers based on Risk exposure and impact, especially with Third parties that manage regulated data

Common Challenges Faced by the Businesses

Companies often face the challenge to successfully vet the qualifying security criteria without an accurate initial assessment, be it evaluating a handful of Third Parties to meet a business requirement or solve a business challenge. Thus, running into multiple risks at a later stage which increases TAT for successful onboarding. Pre-onboarding exercise helps in identifying those Third Parties which meet your baseline for security standards thus saving time and energy chasing Third Parties for remediation.

What we do for you in the TPRM Pre-Onboarding Phase

Capture key details on prospective Third Parties and evaluate them from a security governance standpoint

Key details about the Third Party (Region, Offerings, Products/Services) – it must be noted that certain “Notified” countries will be inherently High risk (such as Cuba, Iran, Russia etc.)

  • Data Exposure, Technology & Integration (On-premise/Cloud)
  • Compliance to applicable security, privacy, health, financial regulations, local and federal laws
  • Review security documentation – ISO certification (e.g. 27001, ISO 27018/19, ISO 27036), SOC2, PCI-DSS, HIPAA, CAIQ, NIST
  • Past security incidents or breaches suffered by their clients
  • Annual spend and Security rating of the Third Party
  • Reliance on the Third Party offerings

Process gathered information to calculate the Inherent Risk and rightly classify the Third Party category

Tiering of Third Parties (see below) is commonly classified into 3 Tiers but organizations can define additional tiers as per requirement

  • Classify the applicable types of Inherent risks (e.g., Compliance Risk, Operational Risk, Strategic Risk, Reputational Risk, Information Security Risk, Financial and Credit Risk, Geopolitical Risk, Concentration Risk, Transactional Risk)

Defentrix Offering

Build a TPRM security baseline document as a ready reckoner for Business & Third Parties

  • Inputs from the Security Leadership, Internal Standards and TPRM function
  • Align the baseline to the objective of TPRM program

Tiering of Third Party based on the Inherent Risk rating

  • Capture key details
  1. Region, products/services offered
  2. Type of data exposure, technology and integration
  3. Applicable regulations and laws (local and federal)
  4. Security governance documentation
  • Tier based evaluation of inherent risk (Tier 1,2,3 etc.)
  • Determine and establish the potential impact and type of applicable risks (Compliance Risk, Operational Risk, Strategic Risk, Reputational Risk, Information Security Risk, Financial and Credit Risk, Geopolitical Risk, Concentration Risk, Transaction Risk)

Target mitigation of Inherent risk exposure before onboarding

  • Prioritize identified risk and evaluate viable controls
  • Validate compensating controls to minimize risk exposure to acceptable level

Gain inputs to security due diligence

  • Determine the variation level of assessment (e.g., Comprehensive, Moderate or Lite)
  • Proactive communication to support cross-functional teams

Guidance to Procurement to follow defined approach while processing onboarding requests

  • Guidelines or playbooks facilitating BAU
  • Uniform tracking of SLA, process and escalation procedure

Define metrics to track the volume, effort, SLA, approvals, rejections, no. of risks observed etc.

  • Determine operational load, capacity and forecast to manage resources
  • Track cross function activities with pre-defined SLAs

Custom reports that helps with statistics and trends

  • Periodic reports for senior management
  • Trends for executive and board

Benefits of Associating with Defentrix Third Party Pre-Onboarding Services

Central repository of potential Third Parties and appropriate tiering

Establish accurate trigger points for security due diligence

Early insights/optics into Inherent risk, especially for critical business requirements

Contribute to shorter Turn-around-Time (TAT) to perform end-to-end assessments

Enable senior management to consciously decide whether or not to proceed with onboarding Third Parties, thus, reducing Inherent risk and saving time & effort to accomplish pre-onboarding
Helps to proactively keep maximum risk out before engaging with Third Party (e.g., common scenarios POC, Evaluation, RFP negotiation)
Helps in identifying categories of Third Parties that could be part of exclusion list saving effort to perform due diligence (e.g., Government, law enforcement, Utility etc.)
Easy transition to Security due diligence phase
Gain guidance to contractual clauses at the get go
Fast track evaluation of Third Parties before on-boarding

Worried about your Information Security and TPRM?

Contact us today for complete consulting and implementation of Information Security

Latest Resources

2024 Leadership Vision for Third Party Risk Management (TPRM)

2024 Leadership Vision for Third Party Risk Management (TPRM)

CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today's security and risk landscape covering third-party risk. This blog sheds light on...

TPRM Awareness, upskill and cross skill

TPRM Awareness, upskill and cross skill

The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive security as well. Security professionals need to keep abreast with developments in Third Party Risk Management space and...

DPDP Act 2023 (India) and Third Party Risk Management (TPRM)

DPDP Act 2023 (India) and Third Party Risk Management (TPRM)

The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of...