Question
Are confidential records shared with or accessed by this third-party?
The term “confidential records” can sometimes be confusing. If your organization has formally defined this term in policy, refer to the policy for official guidance. In the absence of a policy definition, confidential records are those that fit one (or more) of the following criteria:
Personally-identifiable information (PII), including names, physical addresses, email addresses or any other information that identifies a specific individual.
Protected health information (PHI)
Intellectual property
Financial information
Information protected by legal contract; NDA, confidentiality agreement, etc.
Scoring
Inclusion of confidential records into vendor relationship should have adverse effect on inherent risk.
Examples
A company hires a vendor to collate, stuff envelopes, and process fundraising mail that contains customer information including customer names and addresses.Since the envelopes weren’t sealed, and the vendor’s employees would have access to the mailing content, this would qualify as personally-identifiable information.
Another company hires a software vendor that processes online health forms for their website, and customer information is stored on a cloud-based server.The vendor is processing protective health information (PHI), and this information is saved on their cloud-based server.
Question
How many confidential records are shared with or accessed by this third-party?
Approximate the number of confidential records that are shared with or accessed by this third-party. In some cases, it might make sense to estimate high for the sake of safety and security.
Scoring
The higher the number of confidential records, the higher the inherent risk.
Question
How many non-confidential records are shared with or accessed by this third-party?
Approximate the number of non-confidential records that are shared with or access by this third-party. Non-confidential records are those that don’t fit the organization’s definition (explicit or implied) of confidential records. If these records were disclosed publicly, they wouldn’t cause significant damage to our organization.
Scoring
The higher the number of non-confidential records, the higher the inherent risk.
Examples
A client booked an event with a vendor at a local hotel, and this event is open to the public.Knowledge of the time and place of the booking would be considered non-confidential. If information of the booking was released at an earlier time it would have minimal damage.
A larger company hires a vendor, a local cleaning supplier. The cleaning supplier buys cleaning supplies wholesale and delivers them to the larger company. The larger company has many locations, and they generate a lot of invoices (without cc information) and receipts. The invoices and receipts generated by the cleaning supplier would be considered non-confidential records.
Question
Does this third-party have physical or logical access to our organization?
Two types of access; physical and logical.
Physical access means that this third-party (or an agent of this third-party) is provided with physical access to one or more of our facilities in order to perform a service to our organization. They are physically present.
Logical access is sometimes referred to as electronic access. Logical access means that this third-party has been granted computer system access, either locally or remotely, in order to perform a service to our organization. One telltale example is if a computer user account is provided.
Scoring
Logical access is slightly riskier in most cases, and has an adverse impact on inherent risk. Either type of access is inherently riskier than no access at all.
Examples
Physical Access:
Cleaning service that comes in and cleans the facilities each night.
HVAC technician that services the air duct work when it needs repairs.
Logical Access:
Free video editing software downloaded on the employees’ computers, and files are saved on a cloud-based server provided by the same software provider.
Question
Is confidential information taken offsite by this third-party?
There are two points in this question; one is related to confidential information and the second is related to the word “offsite.” Taking confidential information offsite can include physically taking information offsite, but it also includes the transfer of information electronically to another location not owned and operated by our organization.
Scoring
Inherent risk is higher for “Yes” than “No.”
Example
A company uses a temp agency and hires new contractors and gives them laptops to work remotely.The information on the contractors’ laptops, at the very least, hold confidential company intellectual property.
Question
Does this third-party provide a service that is mission critical to our organization?
In some cases the answer to this question is obvious; however, in most cases the answer to this question isn’t so clear. A better way to think of this might be to ask yourself the following question; “Would our organization’s business be severely disrupted if this third-party service were unavailable for an extended period of time?" If you’re still not sure, it might make sense to err on the side of caution and choose “yes.” The third-party relationship can be reclassified later if necessary.
Scoring
Inherent risk is higher for “yes” than “no and unsure.”Inherent risk for “Unsure” is higher than “No.”
Example
A direct mailing company relies on the USPS to provide bulk postal services. If, for some reason, the USPS wasn’t able to provide services, or not able to provide services at an agreeable bulk rate, the company may have to either increase prices to their clients or possibly go out of business.
Conversely, if there are many competitors that offer similar rates, then this may not be a mission critical situation, as the company would be able to utilize the services of a competitor. However, this would depend on the terms of their previous contract.