The term “confidential records” can sometimes be confusing. If your organization has formally defined this term in policy, refer to the policy for official guidance. In the absence of a policy definition, confidential records are those that fit one (or more) of the following criteria:

Information protected by legal contract; NDA, confidentiality agreement, etc.

Inclusion of confidential records into vendor relationship should have adverse effect on inherent risk.  

A company hires a vendor to collate, stuff envelopes, and process fundraising mail that contains customer information including customer names and addresses.Since the envelopes weren’t sealed, and the vendor’s employees would have access to the mailing content, this would qualify as personally-identifiable information.  

Another company hires a software vendor that processes online health forms for their website, and customer information is stored on a cloud-based server.The vendor is processing protective health information (PHI), and this information is saved on their cloud-based server.  
​

Approximate the number of confidential records that are shared with or accessed by this third-party. In some cases, it might make sense to estimate high for the sake of safety and security.

The higher the number of confidential records, the higher the inherent risk.
​

Approximate the number of non-confidential records that are shared with or access by this third-party. Non-confidential records are those that don’t fit the organization’s definition (explicit or implied) of confidential records. If these records were disclosed publicly, they wouldn’t cause significant damage to our organization.

The higher the number of non-confidential records, the higher the inherent risk.

A client booked an event with a vendor at a local hotel, and this event is open to the public.Knowledge of the time and place of the booking would be considered non-confidential. If information of the booking was released at an earlier time it would have minimal damage.

A larger company hires a vendor, a local cleaning supplier. The cleaning supplier buys cleaning supplies wholesale and delivers them to the larger company. The larger company has many locations, and they generate a lot of invoices (without cc information) and receipts. The invoices and receipts generated by the cleaning supplier would be considered non-confidential records.
​

Two types of access; physical and logical.

Physical access means that this third-party (or an agent of this third-party) is provided with physical access to one or more of our facilities in order to perform a service to our organization. They are physically present.

Logical access is sometimes referred to as electronic access. Logical access means that this third-party has been granted computer system access, either locally or remotely, in order to perform a service to our organization. One telltale example is if a computer user account is provided.

Logical access is slightly riskier in most cases, and has an adverse impact on inherent risk. Either type of access is inherently riskier than no access at all. 

Physical Access:
Cleaning service that comes in and cleans the facilities each night.

HVAC technician that services the air duct work when it needs repairs.

Logical Access:
Free video editing software downloaded on the employees’ computers, and files are saved on a cloud-based server provided by the same software provider.
​

There are two points in this question; one is related to confidential information and the second is related to the word “offsite.” Taking confidential information offsite can include physically taking information offsite, but it also includes the transfer of information electronically to another location not owned and operated by our organization.

Inherent risk is higher for “Yes” than “No.”

A company uses a temp agency and hires new contractors and gives them laptops to work remotely.The information on the contractors’ laptops, at the very least, hold confidential company intellectual property.
​

In some cases the answer to this question is obvious; however, in most cases the answer to this question isn’t so clear.  A better way to think of this might be to ask yourself the following question; “Would our organization’s business be severely disrupted if this third-party service were unavailable for an extended period of time?"  If you’re still not sure, it might make sense to err on the side of caution and choose “yes.”  The third-party relationship can be reclassified later if necessary.

Inherent risk is higher for “yes” than “no and unsure.”Inherent risk for “Unsure” is higher than “No.”

A direct mailing company relies on the USPS to provide bulk postal services.  If, for some reason, the USPS wasn’t able to provide services, or not able to provide services at an agreeable bulk rate, the company may have to either increase prices to their clients or possibly go out of business.

Conversely, if there are many competitors that offer similar rates, then this may not be a mission critical situation, as the company would be able to utilize the services of a competitor.  However, this would depend on the terms of their previous contract.